Snort mailing list archives
Re: [Emerging-Sigs] http preprocessor issue (help!)
From: Joel Esler <jesler () sourcefire com>
Date: Sun, 10 Feb 2013 11:03:50 -0500
BTW -- I know the pcap reads "fixed_http_traffic_test.pcap". I have a system that corrects checksums when I put a pcap in my test directory. Here is the same test ran with your pcap: ##### http_traffic_test.pcap ##### [1:1000010:1] NIRT_GET_TEST (alerts: 41) [129:18:1] Data sent on stream after TCP Reset received (alerts: 1) (dropped) [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE (alerts: 1) (dropped) On Sun, Feb 10, 2013 at 11:01 AM, Joel Esler <jesler () sourcefire com> wrote:
CC'ing Snort-users list, as that list is more appropriate for engine issues. Do you have any thresholds in place? I ran it against my Snort install with the stock VRT snort.conf and I got: ##### fixed_http_traffic_test.pcap ##### [1:1000010:1] NIRT_GET_TEST (alerts: 41) [129:18:1] Data sent on stream after TCP Reset received (alerts: 1) (dropped) [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE (alerts: 1) (dropped) http://www.snort.org/vrt/snort-conf-configurations/ -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Fri, Feb 8, 2013 at 1:49 PM, Dmitri <shadow000 () gmail com> wrote:Anybody had any weird issues with http preprocessor in snort or sourcefire? Been breaking my head on this for the past couple of weeks. At this point I am just testing these two: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_POST_TEST"; content:"POST"; http_method; nocase; classtype:web-application-attack; rev:1; sid:1000009; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_GET_TEST"; content:"GET"; http_method; nocase; classtype:web-application-attack; rev:1; sid:1000010; ) here's what I am getting: root@bt:/etc/snort# snort -c ./snort.conf -A console -q -r /root/http_traffic_test.pcap 02/06-23:28:13.697928 [**] [1:1000010:1] NIRT_GET_TEST [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.107.132:49750 -> 213.186.33.2:80 root@bt:/etc/snort# As we can see fires just once, however there are tons of GET requests in the pcap.(pcap and snort.conf are attached) Any ideas or suggestions? ,,_ -*> Snort! <*- o" )~ Version 2.9.4 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.3.3 _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Emerging-Sigs] http preprocessor issue (help!) Joel Esler (Feb 10)
- Re: [Emerging-Sigs] http preprocessor issue (help!) Joel Esler (Feb 10)
- Re: [Emerging-Sigs] http preprocessor issue (help!) Joel Esler (Feb 10)
- Re: [Emerging-Sigs] http preprocessor issue (help!) Joel Esler (Feb 10)