Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug report - no content match on http_inspect port

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Mar 2011 10:35:45 -0500
Traffic that is going to one of the ports that is in the http_inspect preprocessor's configuration is treated as HTTP, 
yes.

Joel

On Mar 4, 2011, at 10:25 AM, elof () sentor se wrote:



Yes. But that doesn't really answer any question or fix the problem, does it?

Are you saying that snort can no longer do simple pattern matching on all traffic that is handled by http_inspect?


If I wanted to, I should be able to alert on the pattern "login: root" with a rule WITHOUT any given ports ('alert 
tcp any any -> any any (...)'), and snort should be acting sort of like 'ngrep'.
But for traffic on ports 80 3128 and 8080 snort wouldn't generate any event. This is a bug to me.

/Elof


On Fri, 4 Mar 2011, Joel Esler wrote:


You should only put ports in the http_inspect config that you are running http services on, on your network.

3128 is a common proxy port, so it's included by default.

Joel

On Mar 4, 2011, at 9:57 AM, elof () sentor se wrote:



Snort doesn't trigger alerts on traffic if that port is included in the
http_inspect ports.


Example:

A basic rule:

alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
content:"login|3A| root"; sid:1234; rev:1;)

If the snort.conf contain this http_inspect configuration, sid:1234 will
never trigger even if a packet is seen containing "login: root" from port
3128. Bug!

preprocessor http_inspect_server: server default profile all ports { 80
3128 8080 } oversize_dir_length 500 no_alerts


If I remove port 3128 from the configuration and try again, I get an
alert.

preprocessor http_inspect_server: server default profile all ports { 80
8080 } oversize_dir_length 500 no_alerts


I tested it using this simple setup:
Server: echo "login: root" | nc -l 3128
Client: nc serverip 3128

When the client connect, I get a logged event using the second config.
When the client connect, I don't get any event using the first config.
This is reproduceable.

Could it be that http_inspect tries to normalise the string "login: root"
and by doing so breaks it, so that there are no matches?

/Elof

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net


------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net


------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: