Snort mailing list archives
Re: http rule is not always triggering
From: JJ Cummings <cummingsj () gmail com>
Date: Tue, 16 Feb 2010 09:27:55 -0700
If you look at this rule and read it "specifically it's directionality" you will note that it is intended to detect / prevent the string in question against your servers (HTTP_SERVERS) so unless you have all of the google.comservers defined as your var HTTP_SERVERS you will see the behavior that you are noting. Note also the use of HTTP_PORTS, as such (assuming you have defined your EXTERNAL_NET and HOME_NET or HTTP_SERVERS) you would have to make a request out from the client on one of the defined HTTP_PORTS, this way snort would catch the reply from google on the monitored ports list.... make sense? Beyond that, there are a number of reasons that you may be missing event generating packets.. from dropped packets to asymmetric routing and beyond.. The short of it is that more info would be useful, but it appears that what you are trying to simulate to generate this event will not reliably do so. JJC On Tue, Feb 16, 2010 at 2:56 AM, Sven Wurth <swurth () astaro com> wrote:
Hi Snort-Sigs, I saw a strange problem with a http rule, which is not triggering always. If I take a rule like this: drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar"; flow:established,to_server; uricontent:"insert"; nocase; pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:666666;) go to google.com and search for "insert into", an alert will logged and the packet gets dropped. The search takes a really long time and normally I get an timeout, but sometimes retransmitted packets came through snort and google shows up the search results. That's a failure, these packets should never pass snort. I done a tcpdump on the outer snort interface, if I let snort read these pcaps the attack will be recognized. But why not in always in the inline mode? (snort 2.8.5.2 in inline mode) Please help me, I have no idea how to debug this... Best Sven ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- SO rules vs regular rules Mike Cox (Jan 14)
- Re: SO rules vs regular rules Mike Cox (Feb 01)
- Re: SO rules vs regular rules Joel Esler (Feb 01)
- Re: SO rules vs regular rules Brian Caswell (Feb 01)
- Re: SO rules vs regular rules Patrick Mullen (Feb 03)
- Re: SO rules vs regular rules Mike Cox (Feb 03)
- http rule is not always triggering Sven Wurth (Feb 16)
- Re: http rule is not always triggering JJ Cummings (Feb 16)
- Re: http rule is not always triggering Sven Wurth (Feb 17)
- Re: SO rules vs regular rules Patrick Mullen (Feb 03)
- Re: SO rules vs regular rules Mike Cox (Feb 01)