Snort mailing list archives
Re: BUG: corner case involving http_cookie
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 10 Mar 2010 06:36:42 -0600
hmmm I don't think so. Look at first test. both rules fire. Regards, Will On Tue, Mar 9, 2010 at 10:31 PM, beenph <beenph () gmail com> wrote:
I will try a wild guess, what is your event_queue size like? Its probably a bug or something that need clarification regarding http_cookie and http_inspect, but mabey http_cookie enable a modifier in http_inspect that alter alerting behavior when event_queue is at 1 (since i guess both "alerts" are part of the same normalized http stream) -elz ps: didin't run the pcap and rules test. On Tue, Mar 9, 2010 at 11:15 PM, Will Metcalf <william.metcalf () gmail com> wrote:failing to use the http_cookie modifier on a rule where there is another rule that matches the same packet makes a rule that should fire fail. src/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.8.5.3 (Build 124) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 src/snort -k none -q -A console -c etc/snort.conf -l ./ -r oisfsearchnums.pcap #this combo works #alert tcp any any -> any any (msg:"http_client_body"; content:"searchword="; uricontent:"/index.php"; nocase; classtype:bad-unknown; sid:59; rev:1;) #alert tcp any any -> any any (msg:"http_cookie match "; content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703"; http_cookie; classtype:bad-unknown; sid:68; rev:1;) # #03/07-21:19:54.242506 [**] [1:59:1] http_client_body [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.17:38111 -> 96.43.130.5:80 #03/07-21:19:54.242506 [**] [1:68:1] http_cookie match [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.17:38111 -> 96.43.130.5:80 #03/07-21:19:54.364173 [**] [1:68:1] http_cookie match [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.17:38111 -> 96.43.130.5:80 #the second rule does not fire #alert tcp any any -> any any (msg:"http_client_body + depth"; content:"searchword="; uricontent:"/index.php"; nocase; classtype:bad-unknown; sid:59; rev:1;) #alert tcp any any -> any any (msg:"http_cookie match"; content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703"; classtype:bad-unknown; sid:68; rev:1;) # #03/07-21:19:54.242506 [**] [1:59:1] http_client_body + depth [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.17:38111 -> 96.43.130.5:80 #this rule fires when used on it's own. #alert tcp any any -> any any (msg:"http_cookie match"; content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703"; classtype:bad-unknown; sid:68; rev:1;) # #03/07-21:19:54.242506 [**] [1:68:1] http_cookie match [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.17:38111 -> 96.43.130.5:80 #03/07-21:19:54.364173 [**] [1:68:1] http_cookie match [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.17:38111 -> 96.43.130.5:80 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- BUG: corner case involving http_cookie Will Metcalf (Mar 09)
- Re: BUG: corner case involving http_cookie beenph (Mar 09)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie Matt Jonkman (Mar 10)
- Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 11)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 15)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie beenph (Mar 09)