[Snort-devel] Re: Bug in spp_stream4.c (snort-1.8.1-RELEASE)

Paulo Alexandre Pinto Pires pappires at ...899...
Tue Oct 23 10:48:08 EDT 2001


Hello, Marty.

I am sending the test set I was using with snort together with its
output (when there was output).


For the first rule:

    % telnet mailhost 25
    helo something1
    mail from: otherstuff2 at ...899...
    rcpt to: pappires at ...899...
    data
    Test
    .
    quit

Output with 1.8.1_RELEASE: /var/log/snort/alert
    [**] [1:0:0] something1+otherstuff2 detected [**]
    10/22-12:52:22.213856 192.168.0.2:16691 -> 192.168.0.1:25
    TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:144
    ***AP*** Seq: 0x951B462A  Ack: 0xCB327D81  Win: 0x7FDF  TcpLen: 20

Output with CVS version (1.8.2beta0): /var/log/alert: Nothing!


For the second rule:

    % telnet squid 3128
    POST http://www.bol.com.br/cgi-bin/webmail.exe?q=abuse%40tmp.com.br HTTP/1.0
    Content-Length: 0

Output with 1.8.1_RELEASE: /var/log/snort/alert: Nothing!

Output with CVS version (1.8.2beta0): /var/log/snort/alert: Nothing!



On Mon, Oct 22, 2001 at 11:33:46AM -0300, Paulo Alexandre Pinto Pires wrote:
> Hello, Marty.
> 
> I downloaded the CVS version (at about 2001/10/22 09:20 -0300), built
> it and ran, with the same configuration file I first sent you, still
> at the end of this message.  But I still have problems getting snort
> do what I want it to do.
> 
> What I want is having snort search for a pair of strings that may
> occur at any time during TCP sessions.  I have two cases of interest,
> with different strings each, that may happen via SMTP or via a
> web-based e-mail provider.
> 
> Then I set the rules below but could not get the desired behaviour to
> happen.  The first rule, for SMTP, worked fairly well with 1.8.1, but
> failed to work if the two strings were too distant from one another.
> The second rule never worked, even with variations to make string
> matches exact, instead of case-insentive and with wildcard characters.
> With the CVS version, even the test set for the first rule stopped
> producing alarms.
> 
> Are my rules wrong for the behaviour I want?  Do you have any pointers?
> 
> I tried the same versions with the same rule set in a NetBSD-1.5.2
> machine, and results were excatly the same.
> 
> System architecture: i386 (Pentium-III 700)
> 
> Operating system: Linux, kernel 2.0.36, libc5; NetBSD-1.5.2
> 
> Rules:
> 8<------------------------------------------------------------------------
>     #snort config file to test ability to detect suspect content
> 
>     preprocessor frag2
>     preprocessor stream4: timeout 60
>     preprocessor stream4_reassemble: clientonly, ports 25 3128
> 
>     var MONITORED_CLIENTS [0/0]
>     var MONITORED_SERVERS [0/0]
>     var SERVER_PORT 80
> 
>     alert tcp any any -> any any (  \
>             flags: A+;                                                      \
>                                             \
>             content: "something1";                                            \
>             content: "otherstuff2";                                          \
>             nocase;                                                         \
> 
>             msg: "something1+otherstuff2 detected";\
> 
>     )
> 
>     alert tcp any any -> any any (  \
>             flags: A+;                                                      \
>                                             \
>             content: "POST /cgi-bin/webmail.exe";                           \
>             content: "=abuse%40tmp.com.br";                                 \
>             nocase;                                                         \
> 
>             msg: "Detected sending webmail to abuse at ...899...";\
>     )
> 
>     #eof snort.conf
> ------------------------------------------------------------------------>8
> 
> Command line used: "snort -z est", "snort -b -z est", "snort -z all", "snort -b -z all"
> 
> Any Snort error messages: None
> 
> -- 
>         Paulo Alexandre Pinto Pires -- pappires at ...899...
>         TMP Consultoria em Informatica S/C -- http://www.tmp.com.br
>         Phone: +55-21-2556-3791

-- 
        Paulo Alexandre Pinto Pires -- pappires at ...899...
        TMP Consultoria em Informatica S/C -- http://www.tmp.com.br
        Phone: +55-21-2556-3791




More information about the Snort-devel mailing list