Snort mailing list archives
Re: rules are not matched across the packet
From: rmkml <rmkml () yahoo fr>
Date: Tue, 7 Jun 2011 20:56:07 +0200 (CEST)
Hi Mahendra, Please try with last snort v2.9.0.5? With your rules and your pcap: snortv2905 fire for all rules. Regards Rmkml On Thu, 2 Jun 2011, mahendra kumawat wrote:
Hi , I came across an issue today where snort doesn't appear to match content across packets and since the feature is very basic to the IDS, I wanted to raise a red flag and seek your help. The issue is as follows: 1. Vulnerability http://www.securityfocus.com/bid/47826 2. Exploit http://downloads.securityfocus.com/vulnerabilities/exploits/47826.txt There is two exploit ,let`s take only first in this case. It's a form based cross site scripting attempt using HTTP POST. I wrote signature for this: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: " Argyle Social Cross Site Scripting attempt"; flow:established, to_server; content:"stream_filter_rule"; http_client_body; reference:bugtraq,47826; classtype:web-application-attack; sid:50000027; rev:1;) I attached a pcap for testing "47826f.pcap". Please look at packet no. 4 and 5 across which the exploit content is split. when i was running snort on this pcap ,no alert was genrated. But when i removed "http_client_body" keyword in rule then i got a alert. So i think when i use "http_client_body" there is some problem with across packet matching. I also tried after change "content:"script"; , but when i used "http_client_body" keyword after content ,i did not get any alert. When i removed "http_client_body" ,then i got alert. It is showing also same problem. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "NIKSUN-WEB-CLIENT Cross Site Scripting attempt"; flow:established, to_server; content:"script"; http_client_body; r eference:bugtraq,47826; classtype:web-application-attack; sid:50000027; rev:1;) I have below configuration in snort.conf for http_inspect. # http_inspect: normalize and detect HTTP traffic and protocol anomalies preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0 post_depth 65495 Snort version: -*> Snort! <*- o" )~ Version 2.8.6.1 (Build 39) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.4 2007-09-21 So please advise me what is wrong with my snort ? why this is happening? how can i resolve this problem ? Please communicate with me on same id (mahendrau.27 () gmail com ) Thanks Mahendra
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules are not matched across the packet mahendra kumawat (Jun 07)
- rules are not matched across the packet mahendra kumawat (Jun 07)
- Re: rules are not matched across the packet Bhagya Bantwal (Jun 07)
- Re: rules are not matched across the packet rmkml (Jun 07)
- rules are not matched across the packet mahendra kumawat (Jun 07)