Snort mailing list archives
Re: rules are not matched across the packet
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Tue, 7 Jun 2011 14:46:06 -0400
What is your stream5 config? Have you turned on reassembly on HTTP ports? Do you have the HTTP ports in stream5 ports? This should be fixed by adding ports 80, 8080 to ports client config of stream5 -B On Sat, Jun 4, 2011 at 5:19 AM, mahendra kumawat <mahendra.u27 () gmail com>wrote:
Hi , I came across an issue today where snort doesn't appear to match content across packets and since the feature is very basic to the IDS, I wanted to raise a red flag and seek your help. The issue is as follows: 1. Vulnerability http://www.securityfocus.com/bid/47826 2. Exploit http://downloads.securityfocus.com/vulnerabilities/exploits/47826.txt There is two exploit ,let`s take only first in this case. It's a form based cross site scripting attempt using HTTP POST. I wrote signature for this: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: " Argyle Social Cross Site Scripting attempt"; flow:established, to_server; content:"stream_filter_rule"; http_client_body; reference:bugtraq,47826; classtype:web-application-attack; sid:50000027; rev:1;) I attached a pcap for testing "47826f.pcap". Please look at packet no. 4 and 5 across which the exploit content is split. when i was running snort on this pcap ,no alert was genrated. But when i removed "http_client_body" keyword in rule then i got a alert. So i think when i use "http_client_body" there is some problem with across packet matching. I also tried after change "content:"script"; , but when i used "http_client_body" keyword after content ,i did not get any alert. When i removed "http_client_body" ,then i got alert. It is showing also same problem. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "NIKSUN-WEB-CLIENT Cross Site Scripting attempt"; flow:established, to_server; content:"script"; http_client_body; r eference:bugtraq,47826; classtype:web-application-attack; sid:50000027; rev:1;) I have below configuration in snort.conf for http_inspect. # http_inspect: normalize and detect HTTP traffic and protocol anomalies preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0 post_depth 65495 Snort version: -*> Snort! <*- o" )~ Version 2.8.6.1 (Build 39) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.4 2007-09-21 So please advise me what is wrong with my snort ? why this is happening? how can i resolve this problem ? Please communicate with me on same id (mahendrau.27 () gmail com ) Thanks Mahendra ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules are not matched across the packet mahendra kumawat (Jun 07)
- rules are not matched across the packet mahendra kumawat (Jun 07)
- Re: rules are not matched across the packet Bhagya Bantwal (Jun 07)
- Re: rules are not matched across the packet rmkml (Jun 07)
- rules are not matched across the packet mahendra kumawat (Jun 07)