Snort mailing list archives
Re: Snort 2.9.0.1 Now Available
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 8 Nov 2010 11:54:37 -0500
Can you send us a pcap? On Mon, Nov 8, 2010 at 11:45 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>wrote:
Hello. I am still experiencing HTTP stream reassembly issues when trying to match across multiple fragmented packets with snort 2.9.0.1. Specifically, this happens on a HTTP POST where the headers are in a different packet than the POST data. Consider the following rule you can use along with scapy to reproduce if you want: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Incoming German POST to Batman"; flow:established,to_server; content:"POST"; http_method; uricontent:"/batcave/"; uricontent:"unicorns4sourcefire"; content:"|0d 0a|Accept-Language: de"; nocase; http_header; content:!"|0d 0a 0d 0a|not4batman=true&"; content:!"\; batsecret=sesstoken4robin"; http_cookie; classtype:trojan-activity; sid:8008135; rev:17;) It alerts (b/c all the URI and HTTP header stuffs match in the initial packet) but it shouldn't alert b/c the HTTP POST data starts with 'not4batman=true&' (but the POST data is in a subsequent packet than the one containing the headers). Anyone else still having issues or have done more in-depth testing with 2.9.0.1 and the HTTP pre-processor? -L0rd C. On Tue, Nov 2, 2010 at 5:34 PM, Steven Sturges <steve.sturges () sourcefire com> wrote:There was an issue in that HTTP inspect wasn't correctly handling raw vs. stream reassembled packets when looking at HTTP response data. This fix is included in 2901 -- refer to ChangeLog (changes to hi_client.c/hi_server.c). As to the support of 2.8.6, with the release of 2.9.0, 2.8.6.x is no longer supported. When there is a new "3 digit" release no further patches are made to the previous version of Snort. On 11/1/2010 1:05 PM, L0rd Ch0de1m0rt wrote:Hello. Does this release fix the issue where the HTTP pre-processor wasn't properly examining reassembled data across fragmented packets? (I don't know the exact cause of the bug - maybe it was the other way around and Stream5 wasn't properly doing the reassebly.) It was announced that there would be a patch for that issue, just want to see if this is it. If so, when can we expect the 2.8.6.1 patch be released? 2.8.6.1 is still supported, right? Thanks! -L0rd C. On Mon, Nov 1, 2010 at 11:45 AM, Snort Releases <snortreleases () snort org> wrote:Snort 2.9.0.1 is now available on snort.org, at http://www.snort.org/snort-downloads/. 2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key). Snort 2.9.0.1 addresses the following: * Fixed maximum flowbits configuration parsing to specify the number of bits in accordance with the Snort manual, rather than number of bytes. If you have 'config flowbits_size' in your snort.conf, double check that it has the correct setting. * Fixed a packet size issue with the IPQ and NFQ DAQs. * Fixed issue with Stream5 overlap limit processing. * Updated the version of LibPCRE bundled with the Windows installer. This update fixes a bug that caused some PCRE matches to fail on Windows. Please see the Release Notes and ChangeLog for more details. Please submit bugs, questions, and feedback tosnort-beta () sourcefire com.Happy Snorting! The Snort Release Team------------------------------------------------------------------------------Nokia and AT&T present the 2010 Calling All Innovators-North AmericacontestCreate new apps & games for the Nokia N8 for consumers in U.S. andCanada$10 million total in prizes - $4M cash, 500 devices, nearly $6M inmarketingDevelop with Nokia Qt SDK, Web Runtime, or Java and Publish to OviStorehttp://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Snort 2.9.0.1 Now Available Snort Releases (Nov 01)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 01)
- Re: Snort 2.9.0.1 Now Available Steven Sturges (Nov 02)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 03)
- Re: [Emerging-Sigs] Snort 2.9.0.1 Now Available Joel Esler (Nov 03)
- Re: [Emerging-Sigs] [Snort-devel] Snort 2.9.0.1 Now Available Miso Patel (Nov 03)
- Re: [Emerging-Sigs] [Snort-devel] Snort 2.9.0.1 Now Available Matthew Jonkman (Nov 03)
- Re: Snort 2.9.0.1 Now Available Randal T. Rioux (Nov 03)
- Re: Snort 2.9.0.1 Now Available Steven Sturges (Nov 02)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 08)
- Re: Snort 2.9.0.1 Now Available Russ Combs (Nov 08)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 08)
- Re: Snort 2.9.0.1 Now Available Steven Sturges (Nov 08)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 08)
- Re: Snort 2.9.0.1 Now Available Russ Combs (Nov 08)
- Re: Snort 2.9.0.1 Now Available Russ Combs (Nov 09)
- Re: Snort 2.9.0.1 Now Available Russ Combs (Nov 09)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 01)
- Re: Snort 2.9.0.1 Now Available Eoin Miller (Nov 08)
- Re: Snort 2.9.0.1 Now Available Eoin Miller (Nov 08)
- <Possible follow-ups>
- Snort 2.9.0.1 Now Available Snort Releases (Nov 01)
- Re: Snort 2.9.0.1 Now Available Mike Lococo (Nov 01)