Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with http_inspect and Basic Authentication rule

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 4 Jul 2011 10:37:02 -0400
Try 2.9.1 beta. 

-- 
Sent from my iPad
Please excuse the brevity

On Jul 4, 2011, at 6:31 AM, andreas <andi () geekosphere org> wrote:


Hi *,

i use snort on a mirror port. I found an issue with http_inspect
preprocessor and one rule for authentication.
I start snort 2.9.0.5 using "--treat-drop-as-alert -u snort -g snort -A
fast -N -I -i eth2 -P 0 -l /var/log/snort -c /etc/snort/snort.conf".
I also tried several options with the "preprocessor http_inspect:". The
rule i want to see in the log file is:

"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"

with sid:2006380, which is in "emerging-policy.rules".

I use two lynx calls to test this issue (1.1.1.1 is just an example IP):

1. lynx --auth=foo:bar http://1.1.1.1/trac/login
2. lynx http://1.1.1.1/trac/browser and then navigate to login and try
to authenticate

When http_inspect is activated, the alert only occurs with the fist
call. If i put "disabled" to the preprocessor http_inspect the alert
occurs on both calls. So the rule is fine and the packages are also
fine, so i can point it down to the http_inspect. One idea is, that with
http_inspect activated only the first HTTP Requests are handled and the
HTTP alert for the authentication is ignored.

I tried to play with all the http_inspect options but no change except
for the disabled option.

So any idea what i can do/try to get snort working with http_inspect and
still reporting the alert for the authentication when the loginpage
isn't called directly?

Andi++

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation


------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: