Snort mailing list archives
Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files)
From: Sujit Ghosal <thesujit () gmail com>
Date: Mon, 13 Dec 2010 15:39:59 +0530
Hey Joel, I have figured out the issue. Its because of TCP reassembly of packets. In the first steam of my payload snort was working flawlessly but if I jump to the second place of tcp reassembled data then it was not detecting. Well I knew that the problem can be solved using flowbits keyword, but I wanted a solution where snort can detect those re-assembled packets as well. Is it possible to command snort to handle tcp re-assembly without the use of flowbits? Regards, Sujit On Sun, Dec 5, 2010 at 10:52 PM, Joel Esler <jesler () sourcefire com> wrote:
Can you provide your Snort configuration, rule you are trying to write and a full session pcap of the traffic you are attempting to detect? On Sunday, December 5, 2010, Sujit Ghosal <thesujit () gmail com> wrote:Hi All, I had a similar type of issue some days back to detect anyserver side/client side vulnerabilities as Snort was not detecting even for a single GET or <html> pattern in any requests/responses respectively. Anyways the problem is somehow solved. It just suddenly started working (may be I think my firewall was blocking initially, I am not fully sure though).Now I came through a very bizzare problem. While I am writing aclient side signature (lets say some PDF vulnerability signatures). If the PDF has less number of bytes (within 500-600 bytes and the whole PDF is of 600 bytes) and attack pattern comes within those 600 bytes then snort detects that time with my developed rule. But If I generate a malformed PDF File through MSF then the malformed objects are being moved to > 600 and the pattern is present at last of the PDF file (around at 20000th offset). In such cases snort is not detecting the attack. I checked the signature and everything is perfect as I haven't given any such offset limitations inside that rule.I gave a look in snort.conf to see the http_preprocessor configs andthe checked till how far snort processes the data length and it is set to 0. So I think it should work in any case.Can anyone please guide me on what could be the issue and how I canresolve this?Best Regards,Sujit-- Joel Esler
------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 04)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Joel Esler (Dec 05)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Joel Esler (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Joel Esler (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 14)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Joel Esler (Dec 05)