Snort mailing list archives
http rule is not always triggering
From: "Sven Wurth" <swurth () astaro com>
Date: Tue, 16 Feb 2010 01:56:58 -0800
Hi Snort-Sigs, I saw a strange problem with a http rule, which is not triggering always. If I take a rule like this: drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar"; flow:established,to_server; uricontent:"insert"; nocase; pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:666666;) go to google.com and search for "insert into", an alert will logged and the packet gets dropped. The search takes a really long time and normally I get an timeout, but sometimes retransmitted packets came through snort and google shows up the search results. That's a failure, these packets should never pass snort. I done a tcpdump on the outer snort interface, if I let snort read these pcaps the attack will be recognized. But why not in always in the inline mode? (snort 2.8.5.2 in inline mode) Please help me, I have no idea how to debug this... Best Sven ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- SO rules vs regular rules Mike Cox (Jan 14)
- Re: SO rules vs regular rules Mike Cox (Feb 01)
- Re: SO rules vs regular rules Joel Esler (Feb 01)
- Re: SO rules vs regular rules Brian Caswell (Feb 01)
- Re: SO rules vs regular rules Patrick Mullen (Feb 03)
- Re: SO rules vs regular rules Mike Cox (Feb 03)
- http rule is not always triggering Sven Wurth (Feb 16)
- Re: http rule is not always triggering JJ Cummings (Feb 16)
- Re: http rule is not always triggering Sven Wurth (Feb 17)
- Re: SO rules vs regular rules Patrick Mullen (Feb 03)
- Re: SO rules vs regular rules Mike Cox (Feb 01)