Snort mailing list archives
Re: snort normalization trouble // not working as I expect
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 23 Dec 2013 12:25:51 +0000
The files /traffic isn't modified, it is normalized for inspection within the Snort engine itself. -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research Team Sent from my iPhone. On Dec 23, 2013, at 4:10, "Lil Evil" <Lil_Evil () gmx de<mailto:Lil_Evil () gmx de>> wrote: Hi all, I have been using snort successfully for quite some time now. I am now looking into configuring normalization, where I seem to hit a brick wall. I run snort-2.9.5.5 (now snort-2.9.5.6) with daq-2.0.1, inline with nfqueue. I use iptables for inspecting forwarding traffic from the mangle chain via nfqueue. I run mostly drop rules (ips-balanced profile) pulled via pulledpork 0.7 So far so good, if a rule is being hit, traffic is being dropped. Everything as expected. Now, I try to convince snort to normalise http traffic, without success. my snort.conf (http_inspect section only) is at the bottom. I use the standard pre-processor rules (alert) which also fire when a normalisation condition is being met, but the client receives the traffic unnormalised. I tried the following two scenarios: unescape: this example from the readme.http_inspect </head> <body> <script>document.write(unescape(unescape("%48%65%6C%6C%6F%2C%20%73%6E%6F%72%74%20%74%65%61%6D%21"))); </script> </body> </html> Snort triggers an event but file can be retrieved unmodified from the client. exceeding whitespaces: I have found a German website by chance that generates the exceeding whitespace alert: wget "http://www.adac.de/infotestrat/reparatur-pflege-und-wartung/werkstatt/werkstatt-maengel/default.aspx?ComponentId=34315&SourcePageId=50239#tabid=tab2" Again snort triggers an event but client receives file without being normalised. I must be doing something very basic wrong, or have a mistake in my setup.
From the logs I can tell that snort is normalizing (snort[1655]: Replace: 11 ( 0.002%)) but this must be ipv4 or other normalization option as this appears very rarely.
Please can somebody point me to the obvious? Many thanks & merry christmas. Please do let me know if you need more debugging information. Cheers lIl ——— debug: snort configure flags: ./configure --prefix=/usr/local/snort --enable-sourcefire --enable-non-ether-decoders --enable-ha --enable-normalizer --enable-targetbased --enable-reload --enable-zlib --enable-ppm --enable-normalizer daq configure flags: ./configure iptables command: iptables -t mangle -D FORWARD -j NFQUEUE --queue-bypass --queue-num 0 snort.conf (excerpt): …. config daq: nfq config policy_mode:inline …. preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ oversize_dir_length 0 \ max_header_length 0 \ max_headers 100 \ max_spaces 300 \ small_chunk_length { 10 5 } \ ports { 80 81 82 83 84 85 86 87 88 89 90 311 383 591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080 50000 50002 55555 } \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \ normalize_javascript \ normalize_headers \ normalize_cookies \ normalize_utf \ max_javascript_whitespaces 200 \ apache_whitespace no \ ascii no \ bare_byte no \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ utf_8 no \ u_encode yes \ webroot no preprocessor rules: alert ( msg: "HI_SERVER_JS_EXCESS_WS"; sid: 10; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_JS_OBFUSCATION_EXCD"; sid: 9; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) snort command usr/local/snort/bin/snort -Q -D -u snort -g snort -c /usr/local/snort/etc/snort.ext.conf ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort normalization trouble // not working as I expect Lil Evil (Dec 23)
- Re: snort normalization trouble // not working as I expect Joel Esler (jesler) (Dec 23)
- Re: snort normalization trouble // not working as I expect Lil Evil (Dec 23)
- Re: snort normalization trouble // not working as I expect Joel Esler (jesler) (Dec 23)
- Re: snort normalization trouble // not working as I expect Lil Evil (Dec 23)
- Re: snort normalization trouble // not working as I expect Joel Esler (jesler) (Dec 23)