Snort mailing list archives
Re: Bug report - no content match on http_inspect port
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Mar 2011 10:06:58 -0500
You should only put ports in the http_inspect config that you are running http services on, on your network. 3128 is a common proxy port, so it's included by default. Joel On Mar 4, 2011, at 9:57 AM, elof () sentor se wrote:
Snort doesn't trigger alerts on traffic if that port is included in the http_inspect ports. Example: A basic rule: alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established; content:"login|3A| root"; sid:1234; rev:1;) If the snort.conf contain this http_inspect configuration, sid:1234 will never trigger even if a packet is seen containing "login: root" from port 3128. Bug! preprocessor http_inspect_server: server default profile all ports { 80 3128 8080 } oversize_dir_length 500 no_alerts If I remove port 3128 from the configuration and try again, I get an alert. preprocessor http_inspect_server: server default profile all ports { 80 8080 } oversize_dir_length 500 no_alerts I tested it using this simple setup: Server: echo "login: root" | nc -l 3128 Client: nc serverip 3128 When the client connect, I get a logged event using the second config. When the client connect, I don't get any event using the first config. This is reproduceable. Could it be that http_inspect tries to normalise the string "login: root" and by doing so breaks it, so that there are no matches? /Elof ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Ryan Jordan (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 07)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)