Snort mailing list archives
Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 20 Aug 2013 08:40:37 -0400
On Tue, Aug 20, 2013 at 3:12 AM, Bram <bram-fabeg () mail wizbit be> wrote:
Hi Russ, When I reported it I was using snort 2.9.5. I just retested it with snort 2.9.5.3 (compiled with -O0 and without patches) and it behaves the same. Mentioning it just in case: did you fix the original config? to trigger this with the '120_8_2_80.cap' file the config ('preprocessor stream5_tcp') needs to be fixed...
Yes, I did use the corrected config. I'll try again.
To avoid any confusion: $ snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.5.3 GRE (Build 132) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/* *snort-team <http://www.snort.org/snort/snort-team> Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.8 (fixed) config: dynamicpreprocessor directory /usr/lib/snort_** dynamicpreprocessor/ preprocessor stream5_global: \ track_tcp yes, \ track_udp no, \ track_icmp no preprocessor stream5_tcp: policy first, ports both 80 8080 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ oversize_dir_length 500 \ max_header_length 4096 \ max_headers 100 \ max_spaces 0 \ small_chunk_length { 10 5 } \ ports { 80 7000 8080 } \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \ normalize_javascript \ apache_whitespace no \ ascii no \ bare_byte no \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ utf_8 no \ u_encode yes \ webroot no alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"**; sid: 8; gid: 120; rev: 2; metadata: rule-type preproc; ) alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata: rule-type preproc ; ) output alert_fast: stdout Running it: $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/120_8_2_80.cap 2>&1 | grep '120:' 08/12-18:21:01.997838 [**] [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP} 192.168.173.153:43668 -> 192.168.173.1:80 08/12-18:21:01.997452 [**] [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0] {TCP} 192.168.173.1:80 -> 192.168.173.153:43668 Comparing 'src/preprocessors/**HttpInspect/utils/hi_paf.c' between snort 2.9.5 and snort 2.9.5.3 shows no relevant change.. So this behaviour should be reproducible on both 2.9.5 and 2.9.5.3 (as shown above). Best regards, Bram Quoting Russ Combs <rcombs () sourcefire com>:Hey Bram - which version of Snort are you running? I'm only getting 120:3 with 295-132. On Fri, Aug 16, 2013 at 8:55 AM, Russ Combs <rcombs () sourcefire com> wrote: Thanks for reporting this. I will investigate and get back to you.Russ------------------------------**------------------------------**---- This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Bram (Aug 09)
- Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Bram (Aug 16)
- Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Russ Combs (Aug 16)
- Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Russ Combs (Aug 19)
- Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Bram (Aug 20)
- Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Russ Combs (Aug 20)
- Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Russ Combs (Aug 22)
- Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Russ Combs (Aug 16)
- Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION Bram (Aug 16)