Snort mailing list archives
Re: detection problem in client body
From: Felix via Snort-users <snort-users () lists snort org>
Date: Thu, 8 Mar 2018 15:53:20 +0100
Kumarswamy, thanks for the explanation. felix On 08/03/18 14:25, Kumarswamy H N (kumhn) wrote:
Snort 2.x has a code to check for at least 6 characters in client body for alerting ,this is probably done as some kind of optimization as alerting on too small post body will not be worthwhile. This is the reason why you see an alert on second request only. *From:*Snort-users [mailto:snort-users-bounces () lists snort org] *On Behalf Of *Joel Esler (jesler) via Snort-users *Sent:* Thursday, March 08, 2018 6:40 PM *To:* erlacher () campus uni-paderborn de *Cc:* Snort-users () lists snort org *Subject:* Re: [Snort-users] detection problem in client body No, that means that Russ tested it against Snort 3. I haven't had the chance to run against Snort 2, perhaps someone else from Cisco will before I get a chance to get to it. *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com <mailto:jesler () cisco com> On Mar 8, 2018, at 4:29 AM, Felix via Snort-users <snort-users () lists snort org <mailto:snort-users () lists snort org>> wrote: On 07/03/18 22:39, Russ via Snort-users wrote: FYI - Snort 3 will alert as expected. ok, thx, good to know. Does this mean this is a bug in Snort 2? felix On 3/7/18 11:55 AM, Felix Erlacher via Snort-users wrote: Hi all, I am having a detection problem with an http_client_body rule. I tried to provide a minimal example in the attachments. post.pcapng contains two full tcp connections with one http request (and corresponding response) each. The first post request has 'foo' in the client body, the second post request has 'foo123' in the client body. test.rules contains a rule which is looking for the letter 'o' in the http_client_body. If I run snort in IDS mode, only the second post request is triggering an alert while the first post request does not although it also contains an 'o' in the client body. The only notable difference (to me) is the '123' added to the client body, which IMHO should not make any difference. Why is the first post request not triggering an alert? I am using the newest snort 2.9.11.1 with standard config (minimal changes, attached), snort output is attached. As can be seen, I am using the -k none switch. thx and regards Felix _______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette -- Felix Erlacher ccs-labs.org/~erlacher <http://ccs-labs.org/%7Eerlacher> Key-ID:4EAC0959 _______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-- Felix Erlacher _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- detection problem in client body Felix Erlacher via Snort-users (Mar 07)
- Re: detection problem in client body Russ via Snort-users (Mar 07)
- Re: detection problem in client body Felix via Snort-users (Mar 08)
- Re: detection problem in client body Joel Esler (jesler) via Snort-users (Mar 08)
- Re: detection problem in client body Kumarswamy H N (kumhn) via Snort-users (Mar 08)
- Re: detection problem in client body Felix via Snort-users (Mar 08)
- Re: detection problem in client body Felix via Snort-users (Mar 08)
- Re: detection problem in client body Russ via Snort-users (Mar 07)