Snort mailing list archives

Re: Snort inline not detecting rules with "http + content + detection_filter"

From: Hai Hoang <hai.hoang () thecoffeehouse vn>
Date: Tue, 8 Oct 2019 14:39:14 +0700

Dear Support Team,

How to prevent scan my system by hacker use tools:  nmap, web scan, ... at
level 7. And help me "ONLY" open rules prevent it.

Thanks,
*Hoang Trong Hai (Mr)*
*IT Manager*
-----------------------------------------------------------------


Add: 7th Floor, 62 Tran Quang Khai Street, District 1, HCM City
Hotline:  (028) 73 039 079
Mail:      hai.hoang () thecoffeehouse vn
Mobile:   0917 955595


On Sat, Oct 5, 2019 at 7:25 PM Al Lewis (allewi) via Snort-users <
snort-users () lists snort org> wrote:

Hello

        How are you starting snort?
        Do you have a pcap of the traffic?
        Does the alerting differ using another inline method (i.e
afpacket) or readback mode (i.e. use -Q --daq dump --daq-var
load-mode=read-file).

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com



On 10/4/19, 3:03 PM, "Snort-users on behalf of Oguz Yilmaz via
Snort-users" <snort-users-bounces () lists snort org on behalf of
snort-users () lists snort org> wrote:

    Hello,

    I have two rule below which are alerted in snort passive mode but not
    in snort inline mode.

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
    Sqlmap SQL Injection Scan"; flow:to_server,established;
    content:"User-Agent|3a| sqlmap"; fast_pattern:only; http_header;
    detection_filter:track by_dst, count 2, seconds 5;
    reference:url,sqlmap.sourceforge.net;
    reference:url,doc.emergingthreats.net/2008538;
    classtype:attempted-recon; sid:2008538; rev:8;
    metadata:affected_product Web_Server_Applications, attack_target
    Web_Server, deployment Datacenter, tag SQL_Injection,
    signature_severity Major, created_at 2010_07_30, updated_at
    2016_07_01;)

    alert tcp any any -> any 80 (msg: "TCP Detect: HTTP User Agent";
    content:"User-Agent|3a| sqlmap"; detection_filter:track by_dst, count
    2, seconds 5; sid: 8140002; rev:1;)

    In my tests, I have figured out that,

    "for ET SCAN Sqlmap SQL Injection Scan" rule
    - Rule alerts in snort passive mode
    - In inline mode, it does not alert
    - In inline mode, If I disable either "content" or "detection_filter"
    match rule starts working.

    "for TCP Detect rule"
    - Rule alerts in snort passive mode
    - In inline mode, it does not alert.
    - In inline mode, If I disable either "content" or "detection_filter"
    match rule starts working.
    - In inline mode, normally I use 'curl -A "sqlmap" URL ' for trials.
    When I turn back to 'echo "User-Agent sqlmap" | nc IP 80' the rules
    starts working. (when I choose to use nc, it is not http anymore)
    - In inline mode, If I disable http_inspect and http_inspect_server
    preprocessors, rule starts working

    So my outcome is http_inspect proprocessor with content and
    detection_filter rule together  has some problem in inline snort.

    Snort version is 2.9.9.0 wifh nfq daq compiled and running.

    Do you have any comments on the issue?

    --
    Oguz YILMAZ
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists snort org
    Go to this URL to change user options or unsubscribe:
    https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

    Please visit http://blog.snort.org to stay current on all the latest
Snort news!

    Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Snort inline not detecting rules with "http + content + detection_filter" Oguz Yilmaz via Snort-users (Oct 04)
- Re: Snort inline not detecting rules with "http + content + detection_filter" wkitty42--- via Snort-users (Oct 04)
- Re: Snort inline not detecting rules with "http + content + detection_filter" Al Lewis (allewi) via Snort-users (Oct 05)
  - Re: Snort inline not detecting rules with "http + content + detection_filter" Hai Hoang (Oct 08)