Snort mailing list archives
Re: Bug report - no content match on http_inspect port
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Mar 2011 10:06:58 -0500
You should only put ports in the http_inspect config that you are running http services on, on your network. 3128 is a common proxy port, so it's included by default. Joel On Mar 4, 2011, at 9:57 AM, elof () sentor se wrote:
Snort doesn't trigger alerts on traffic if that port is included in the
http_inspect ports.
Example:
A basic rule:
alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
content:"login|3A| root"; sid:1234; rev:1;)
If the snort.conf contain this http_inspect configuration, sid:1234 will
never trigger even if a packet is seen containing "login: root" from port
3128. Bug!
preprocessor http_inspect_server: server default profile all ports { 80
3128 8080 } oversize_dir_length 500 no_alerts
If I remove port 3128 from the configuration and try again, I get an
alert.
preprocessor http_inspect_server: server default profile all ports { 80
8080 } oversize_dir_length 500 no_alerts
I tested it using this simple setup:
Server: echo "login: root" | nc -l 3128
Client: nc serverip 3128
When the client connect, I get a logged event using the second config.
When the client connect, I don't get any event using the first config.
This is reproduceable.
Could it be that http_inspect tries to normalise the string "login: root"
and by doing so breaks it, so that there are no matches?
/Elof
------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Ryan Jordan (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 07)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)