Snort mailing list archives
Re: Snort inline not detecting rules with "http + content + detection_filter"
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 5 Oct 2019 12:15:09 +0000
Hello
How are you starting snort?
Do you have a pcap of the traffic?
Does the alerting differ using another inline method (i.e afpacket) or readback mode (i.e. use -Q --daq dump
--daq-var load-mode=read-file).
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com
On 10/4/19, 3:03 PM, "Snort-users on behalf of Oguz Yilmaz via Snort-users" <snort-users-bounces () lists snort org on
behalf of snort-users () lists snort org> wrote:
Hello,
I have two rule below which are alerted in snort passive mode but not
in snort inline mode.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
Sqlmap SQL Injection Scan"; flow:to_server,established;
content:"User-Agent|3a| sqlmap"; fast_pattern:only; http_header;
detection_filter:track by_dst, count 2, seconds 5;
reference:url,sqlmap.sourceforge.net;
reference:url,doc.emergingthreats.net/2008538;
classtype:attempted-recon; sid:2008538; rev:8;
metadata:affected_product Web_Server_Applications, attack_target
Web_Server, deployment Datacenter, tag SQL_Injection,
signature_severity Major, created_at 2010_07_30, updated_at
2016_07_01;)
alert tcp any any -> any 80 (msg: "TCP Detect: HTTP User Agent";
content:"User-Agent|3a| sqlmap"; detection_filter:track by_dst, count
2, seconds 5; sid: 8140002; rev:1;)
In my tests, I have figured out that,
"for ET SCAN Sqlmap SQL Injection Scan" rule
- Rule alerts in snort passive mode
- In inline mode, it does not alert
- In inline mode, If I disable either "content" or "detection_filter"
match rule starts working.
"for TCP Detect rule"
- Rule alerts in snort passive mode
- In inline mode, it does not alert.
- In inline mode, If I disable either "content" or "detection_filter"
match rule starts working.
- In inline mode, normally I use 'curl -A "sqlmap" URL ' for trials.
When I turn back to 'echo "User-Agent sqlmap" | nc IP 80' the rules
starts working. (when I choose to use nc, it is not http anymore)
- In inline mode, If I disable http_inspect and http_inspect_server
preprocessors, rule starts working
So my outcome is http_inspect proprocessor with content and
detection_filter rule together has some problem in inline snort.
Snort version is 2.9.9.0 wifh nfq daq compiled and running.
Do you have any comments on the issue?
--
Oguz YILMAZ
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort inline not detecting rules with "http + content + detection_filter" Oguz Yilmaz via Snort-users (Oct 04)
- Re: Snort inline not detecting rules with "http + content + detection_filter" wkitty42--- via Snort-users (Oct 04)
- Re: Snort inline not detecting rules with "http + content + detection_filter" Al Lewis (allewi) via Snort-users (Oct 05)