[Snort-devel] Re: Bug in spp_stream4.c (snort-1.8.1-RELEASE)

Paulo Alexandre Pinto Pires pappires at ...899...
Tue Oct 23 10:48:09 EDT 2001

Hello, Marty.

I downloaded the CVS version (at about 2001/10/22 09:20 -0300), built
it and ran, with the same configuration file I first sent you, still
at the end of this message.  But I still have problems getting snort
do what I want it to do.

What I want is having snort search for a pair of strings that may
occur at any time during TCP sessions.  I have two cases of interest,
with different strings each, that may happen via SMTP or via a
web-based e-mail provider.

Then I set the rules below but could not get the desired behaviour to
happen.  The first rule, for SMTP, worked fairly well with 1.8.1, but
failed to work if the two strings were too distant from one another.
The second rule never worked, even with variations to make string
matches exact, instead of case-insentive and with wildcard characters.
With the CVS version, even the test set for the first rule stopped
producing alarms.

Are my rules wrong for the behaviour I want?  Do you have any pointers?

I tried the same versions with the same rule set in a NetBSD-1.5.2
machine, and results were excatly the same.

System architecture: i386 (Pentium-III 700)

Operating system: Linux, kernel 2.0.36, libc5; NetBSD-1.5.2

    #snort config file to test ability to detect suspect content

    preprocessor frag2
    preprocessor stream4: timeout 60
    preprocessor stream4_reassemble: clientonly, ports 25 3128

    var SERVER_PORT 80

    alert tcp any any -> any any (  \
            flags: A+;                                                      \
            content: "something1";                                            \
            content: "otherstuff2";                                          \
            nocase;                                                         \

            msg: "something1+otherstuff2 detected";\


    alert tcp any any -> any any (  \
            flags: A+;                                                      \
            content: "POST /cgi-bin/webmail.exe";                           \
            content: "=abuse%40tmp.com.br";                                 \
            nocase;                                                         \

            msg: "Detected sending webmail to abuse at ...899...";\

    #eof snort.conf

Command line used: "snort -z est", "snort -b -z est", "snort -z all", "snort -b -z all"

Any Snort error messages: None

        Paulo Alexandre Pinto Pires -- pappires at ...899...
        TMP Consultoria em Informatica S/C -- http://www.tmp.com.br
        Phone: +55-21-2556-3791

More information about the Snort-devel mailing list