Re: [Emerging-Sigs] http preprocessor issue (help!)

[Joel Esler <jesler () sourcefire com>]

BTW -- I know the pcap reads "fixed_http_traffic_test.pcap".  I have a
system that corrects checksums when I put a pcap in my test directory.
 Here is the same test ran with your pcap:

##### http_traffic_test.pcap #####
[1:1000010:1] NIRT_GET_TEST (alerts: 41)
[129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
(dropped)
[120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
RESPONSE (alerts: 1) (dropped)


On Sun, Feb 10, 2013 at 11:01 AM, Joel Esler <jesler () sourcefire com> wrote:

> CC'ing Snort-users list, as that list is more appropriate for engine
> issues.  Do you have any thresholds in place?
>
> I ran it against my Snort install with the stock VRT snort.conf and I got:
>
> ##### fixed_http_traffic_test.pcap #####
> [1:1000010:1] NIRT_GET_TEST (alerts: 41)
> [129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
> (dropped)
>  [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
> RESPONSE (alerts: 1) (dropped)
>
> http://www.snort.org/vrt/snort-conf-configurations/
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
>
>
> On Fri, Feb 8, 2013 at 1:49 PM, Dmitri <shadow000 () gmail com> wrote:
>
> > Anybody had any weird issues with http preprocessor in snort or
> > sourcefire?
> >
> > Been breaking my head on this for the past couple of weeks. At this point
> > I am just testing these two:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_POST_TEST";
> > content:"POST"; http_method; nocase; classtype:web-application-attack;
> > rev:1; sid:1000009; )
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_GET_TEST";
> > content:"GET"; http_method; nocase; classtype:web-application-attack;
> > rev:1; sid:1000010; )
> >
> > here's what I am getting:
> > root@bt:/etc/snort# snort -c ./snort.conf -A console -q -r
> > /root/http_traffic_test.pcap
> > 02/06-23:28:13.697928  [**] [1:1000010:1] NIRT_GET_TEST [**]
> > [Classification: Web Application Attack] [Priority: 1] {TCP}
> > 192.168.107.132:49750 -> 213.186.33.2:80
> > root@bt:/etc/snort#
> >
> > As we can see fires just once, however there are tons of GET requests in
> > the pcap.(pcap and snort.conf are attached)
> >
> > Any ideas or suggestions?
> >
> >
> >
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.9.4 GRE (Build 40)
> >    ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> >            Using libpcap version 1.0.0
> >            Using PCRE version: 8.32 2012-11-30
> >            Using ZLIB version: 1.2.3.3
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs () lists emergingthreats net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for all versions of
> > Suricata and Snort 2.4.0 through Current!
>
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!