Snort mailing list archives

Re: Bug report - no content match on http_inspect port

From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Fri, 4 Mar 2011 12:12:56 -0500

Elof,

When you put a port number in the preprocessor's config, the
preprocessor will normalize traffic on that port.

You can use the "rawbytes" content modifier in your rule to specify
that you want the non-normalized payload.

alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
content:"login|3A| root"; rawbytes; sid:1234; rev:1;)

This behavior is intentional.

-Ryan

On Fri, Mar 4, 2011 at 11:47 AM,  <elof () sentor se> wrote:

Joel,
Why do you keep stating the obvious and ignore the issue?

Yes, 3128 is a proxy port. Yes traffic that I have configured to be
inspected by http_inspect is treated as HTTP.

My bug report is that the normalisation of the packet might destroy it,
or something else fails. Because apparently a pattern match don't work.

Are you saying I can't simply look for the pattern "foo: bar" in any
packet or stream if the port/stream is handled by http_inspect?

/Elof


On Fri, 4 Mar 2011, Joel Esler wrote:

Traffic that is going to one of the ports that is in the http_inspect preprocessor's configuration is treated as 
HTTP, yes.

Joel

On Mar 4, 2011, at 10:25 AM, elof () sentor se wrote:


Yes. But that doesn't really answer any question or fix the problem, does it?

Are you saying that snort can no longer do simple pattern matching on all traffic that is handled by http_inspect?


If I wanted to, I should be able to alert on the pattern "login: root" with a rule WITHOUT any given ports ('alert 
tcp any any -> any any (...)'), and snort should be acting sort of like 'ngrep'.
But for traffic on ports 80 3128 and 8080 snort wouldn't generate any event. This is a bug to me.

/Elof


On Fri, 4 Mar 2011, Joel Esler wrote:

You should only put ports in the http_inspect config that you are running http services on, on your network.

3128 is a common proxy port, so it's included by default.

Joel

On Mar 4, 2011, at 9:57 AM, elof () sentor se wrote:


Snort doesn't trigger alerts on traffic if that port is included in the
http_inspect ports.


Example:

A basic rule:

alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
content:"login|3A| root"; sid:1234; rev:1;)

If the snort.conf contain this http_inspect configuration, sid:1234 will
never trigger even if a packet is seen containing "login: root" from port
3128. Bug!

preprocessor http_inspect_server: server default profile all ports { 80
3128 8080 } oversize_dir_length 500 no_alerts


If I remove port 3128 from the configuration and try again, I get an
alert.

preprocessor http_inspect_server: server default profile all ports { 80
8080 } oversize_dir_length 500 no_alerts


I tested it using this simple setup:
Server: echo "login: root" | nc -l 3128
Client: nc serverip 3128

When the client connect, I get a logged event using the second config.
When the client connect, I don't get any event using the first config.
This is reproduceable.

Could it be that http_inspect tries to normalise the string "login: root"
and by doing so breaks it, so that there are no matches?

/Elof

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net


------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net


------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)
  - Re: Bug report - no content match on http_inspect port elof (Mar 04)
    - Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)
    - Re: Bug report - no content match on http_inspect port elof (Mar 04)
    - Re: Bug report - no content match on http_inspect port Ryan Jordan (Mar 04)
    - Re: Bug report - no content match on http_inspect port elof (Mar 07)