Snort mailing list archives
Re: Snort inline not detecting rules with "http + content + detection_filter"
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 5 Oct 2019 12:15:09 +0000
Hello How are you starting snort? Do you have a pcap of the traffic? Does the alerting differ using another inline method (i.e afpacket) or readback mode (i.e. use -Q --daq dump --daq-var load-mode=read-file). Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com On 10/4/19, 3:03 PM, "Snort-users on behalf of Oguz Yilmaz via Snort-users" <snort-users-bounces () lists snort org on behalf of snort-users () lists snort org> wrote: Hello, I have two rule below which are alerted in snort passive mode but not in snort inline mode. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Sqlmap SQL Injection Scan"; flow:to_server,established; content:"User-Agent|3a| sqlmap"; fast_pattern:only; http_header; detection_filter:track by_dst, count 2, seconds 5; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; classtype:attempted-recon; sid:2008538; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp any any -> any 80 (msg: "TCP Detect: HTTP User Agent"; content:"User-Agent|3a| sqlmap"; detection_filter:track by_dst, count 2, seconds 5; sid: 8140002; rev:1;) In my tests, I have figured out that, "for ET SCAN Sqlmap SQL Injection Scan" rule - Rule alerts in snort passive mode - In inline mode, it does not alert - In inline mode, If I disable either "content" or "detection_filter" match rule starts working. "for TCP Detect rule" - Rule alerts in snort passive mode - In inline mode, it does not alert. - In inline mode, If I disable either "content" or "detection_filter" match rule starts working. - In inline mode, normally I use 'curl -A "sqlmap" URL ' for trials. When I turn back to 'echo "User-Agent sqlmap" | nc IP 80' the rules starts working. (when I choose to use nc, it is not http anymore) - In inline mode, If I disable http_inspect and http_inspect_server preprocessors, rule starts working So my outcome is http_inspect proprocessor with content and detection_filter rule together has some problem in inline snort. Snort version is 2.9.9.0 wifh nfq daq compiled and running. Do you have any comments on the issue? -- Oguz YILMAZ _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort inline not detecting rules with "http + content + detection_filter" Oguz Yilmaz via Snort-users (Oct 04)
- Re: Snort inline not detecting rules with "http + content + detection_filter" wkitty42--- via Snort-users (Oct 04)
- Re: Snort inline not detecting rules with "http + content + detection_filter" Al Lewis (allewi) via Snort-users (Oct 05)