Snort mailing list archives

Re: detection problem in client body

From: Felix via Snort-users <snort-users () lists snort org>
Date: Thu, 8 Mar 2018 15:53:20 +0100

Kumarswamy,
thanks for the explanation.

felix

On 08/03/18 14:25, Kumarswamy H N (kumhn) wrote:

Snort 2.x has a code to check for at least 6 characters in client body
for alerting ,this is probably done as some kind of optimization as
alerting on too small post body will not be worthwhile. This is the
reason why you see an alert on second request only.

 

 

*From:*Snort-users [mailto:snort-users-bounces () lists snort org] *On
Behalf Of *Joel Esler (jesler) via Snort-users
*Sent:* Thursday, March 08, 2018 6:40 PM
*To:* erlacher () campus uni-paderborn de
*Cc:* Snort-users () lists snort org
*Subject:* Re: [Snort-users] detection problem in client body

 

No, that means that Russ tested it against Snort 3.

 

I haven't had the chance to run against Snort 2, perhaps someone else
from Cisco will before I get a chance to get to it.

 

 

*--*

*Joel Esler *| *Talos:* Manager | jesler () cisco com <mailto:jesler () cisco com>

 

 

 

 



    On Mar 8, 2018, at 4:29 AM, Felix via Snort-users
    <snort-users () lists snort org <mailto:snort-users () lists snort org>>
    wrote:

     

    On 07/03/18 22:39, Russ via Snort-users wrote:

        FYI - Snort 3 will alert as expected.


    ok, thx, good to know.
    Does this mean this is a bug in Snort 2?

    felix


        On 3/7/18 11:55 AM, Felix Erlacher via Snort-users wrote:

            Hi all,

            I am having a detection problem with an http_client_body
            rule. I tried
            to provide a minimal example in the attachments.
            post.pcapng contains two full tcp connections with one http
            request (and
            corresponding response) each. The first post request has
            'foo' in the
            client body, the second post request has 'foo123' in the
            client body.
            test.rules contains a rule which is looking for the letter
            'o' in the
            http_client_body.
            If I run snort in IDS mode, only the second post request is
            triggering
            an alert while the first post request does not although it
            also contains
            an 'o' in the client body. The only notable difference (to
            me) is the
            '123' added to the client body, which IMHO should not make
            any difference.

            Why is the first post request not triggering an alert?

            I am using the newest snort 2.9.11.1 with standard config
            (minimal
            changes, attached), snort output is attached. As can be
            seen, I am using
            the -k none switch.

            thx and regards

            Felix






            _______________________________________________
            Snort-users mailing list
            Snort-users () lists snort org <mailto:Snort-users () lists snort org>
            Go to this URL to change user options or unsubscribe:
            https://lists.snort.org/mailman/listinfo/snort-users

            Please visit http://blog.snort.org to stay current on all
            the latest Snort news!

            Please follow these rules:
            https://snort.org/faq/what-is-the-mailing-list-etiquette




        _______________________________________________
        Snort-users mailing list
        Snort-users () lists snort org <mailto:Snort-users () lists snort org>
        Go to this URL to change user options or unsubscribe:
        https://lists.snort.org/mailman/listinfo/snort-users

        Please visit http://blog.snort.org to stay current on all the
        latest Snort news!

        Please follow these rules:
        https://snort.org/faq/what-is-the-mailing-list-etiquette


    -- 
    Felix Erlacher

    ccs-labs.org/~erlacher <http://ccs-labs.org/%7Eerlacher>
    Key-ID:4EAC0959
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists snort org <mailto:Snort-users () lists snort org>
    Go to this URL to change user options or unsubscribe:
    https://lists.snort.org/mailman/listinfo/snort-users

    Please visit http://blog.snort.org <http://blog.snort.org/> to stay
    current on all the latest Snort news!

    Please follow these
    rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


-- 
Felix Erlacher




_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

detection problem in client body Felix Erlacher via Snort-users (Mar 07)
- Re: detection problem in client body Russ via Snort-users (Mar 07)
  - Re: detection problem in client body Felix via Snort-users (Mar 08)
    - Re: detection problem in client body Joel Esler (jesler) via Snort-users (Mar 08)
    - Re: detection problem in client body Kumarswamy H N (kumhn) via Snort-users (Mar 08)
    - Re: detection problem in client body Felix via Snort-users (Mar 08)