[Snort-users] problem with http_inspect_server interactions with rules
This is a discussion on [Snort-users] problem with http_inspect_server interactions with rules within the Snort forums, part of the System Security and Security Related category; I've seen something that I *think* is an error, and is certainly undesired behavior, with an interaction between http_inspect_server ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-23-2004
|
|||
|
|||
[Snort-users] problem with http_inspect_server interactions with rules
I've seen something that I *think* is an error, and is certainly undesired
behavior, with an interaction between http_inspect_server parameters and some rules (I haven't tested many rules, I want to get this one working so that I know what the core problem is). I've tested this on snort 2.2.0 build 30 and 2.3.0RC1 Build 8, I'm using a linux 2.6.5 kernel running gentoo. I've got a pcap file (http://www.asgardgroup.com/~jpatters...rt/mydata.pcap) with two http GET requests in it, and the responses to them (note that this is a completely contrived example. I contrived it for the purpose of triggering two rules for some unrelated event correllation work, and was surprised when snort didn't give me the output I was expecting). I've also got a snort config file (http://www.asgardgroup.com/~jpatters...t/mysnort.conf) containing exactly two alert rules, and the variables and preprocessors necessary to their correct operation. The specific rules (from the current rulebase) are: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; flow:to_server,established; uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936; reference:cve,2001-0537; classtype:web-application-attack; sid:1250; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:from_server,established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:8;) If I run the following command: snort -c ./mysnort.conf -l . -r ./mydata.pcap -A full -k none I get an alert output that contains only the two "WEB-MISC Cisco IOS HTTP configuration attempt" entries. Now, if I comment out the configuration line: preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 then I get a very different looking alert file that contains only the "ATTACK-RESPONSES directory listing" alert. I can't figure out for the life of me why that configuration option would either enable the HTTP configuration attempt alert, nor why its absence would disable same. Nor can I figure out why its absence would disable the attack response rule, and its presence would disable that rule. Anyone have any thoughts as to why this sort of thing might happen? Thanks, -Joe Patterson, CCNP, CISSP Senior Security Engineer SteelCloud, Inc. (954)318-3200x105 jpatterson@asgardgroup.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
