Problems trying to grep traffic in TCP streams

[snort () tmp com br]

Hello, folks.

I am having problems with getting snort produce alerts when some
traffic appears in a TCP stream.

What I want is having snort search for a pair of strings that may
occur at any time during TCP sessions.  I have two cases of interest,
with different strings each, that may happen via SMTP or via a
web-based e-mail provider.

Then I set the rules below but could not get the desired behaviour to
happen.  The first rule, for SMTP, worked fairly well with 1.8.1, but
failed to work if the two strings were too distant from one another.
The second rule never worked, even with variations to make string
matches exact, instead of case-insentive and with wildcard characters.
With the CVS version, even the test set for the first rule stopped
producing alarms.

Are my rules wrong for the behaviour I want?  Do you have any pointers?

I tried the same versions with the same rule set in a NetBSD-1.5.2
machine, and results were excatly the same.

System architecture: i386 (Pentium-III 700)

Operating system: Linux, kernel 2.0.36, libc5; NetBSD-1.5.2

Rules:
8<------------------------------------------------------------------------
    #snort config file to test ability to detect suspect content

    preprocessor frag2
    preprocessor stream4: timeout 60
    preprocessor stream4_reassemble: clientonly, ports 25 3128

    var MONITORED_CLIENTS [0/0]
    var MONITORED_SERVERS [0/0]
    var SERVER_PORT 80

    alert tcp any any -> any any (  \
            flags: A+;                                                      \
                                            \
            content: "something1";                                            \
            content: "otherstuff2";                                          \
            nocase;                                                         \

            msg: "something1+otherstuff2 detected";\

    )

    alert tcp any any -> any any (  \
            flags: A+;                                                      \
                                            \
            content: "POST /cgi-bin/webmail.exe";                           \
            content: "=abuse%40tmp.com.br";                                 \
            nocase;                                                         \

            msg: "Detected sending webmail to abuse () tmp com br";\
    )

    #eof snort.conf
------------------------------------------------------------------------>8

Command line used: "snort -z est", "snort -b -z est", "snort -z all", "snort -b -z all"


Below are te test commands, data and output from snort.


For the first rule:

    % telnet mailhost 25
    helo something1
    mail from: otherstuff2 () tmp com br
    rcpt to: pappires () tmp com br
    data
    Test
    .
    quit

Output with 1.8.1_RELEASE: /var/log/snort/alert
    [**] [1:0:0] something1+otherstuff2 detected [**]
    10/22-12:52:22.213856 192.168.0.2:16691 -> 192.168.0.1:25
    TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:144
    ***AP*** Seq: 0x951B462A  Ack: 0xCB327D81  Win: 0x7FDF  TcpLen: 20

Output with CVS version (1.8.2beta0): /var/log/alert: Nothing!


For the second rule:

    % telnet squid 3128
    POST http://www.bol.com.br/cgi-bin/webmail.exe?q=abuse%40tmp.com.br HTTP/1.0
    Content-Length: 0

Output with 1.8.1_RELEASE: /var/log/snort/alert: Nothing!

Output with CVS version (1.8.2beta0): /var/log/snort/alert: Nothing!

-- 
        Paulo Alexandre Pinto Pires -- pappires () tmp com br
        TMP Consultoria em Informatica S/C -- http://www.tmp.com.br
        Phone: +55-21-2556-3791

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users