[Snort-devel] same content different service, only first rule honored.

Phil Wood cpw at ...86...
Thu May 2 13:15:38 EDT 2002


I've got bees buzzing around in my head.  The previous message about it
not working, and then working after twiddling the #define were just a bunch
of whoee.

(Short answer, no difference with test with $define removed)


I uncommented out #define PATTERN_FAST in sp_pattern_match.h (after running
the test with it commented out).  Then, I ran the test:

for p in 18 19; do id | nc -p $p cynosure 1022;sleep 2; done

Low and behold it worked correctly.  So, I'm seeing ghosts.  Here is one
that is definitely failing:

Here is the latest development using multiple patterns:

1. rules

redalert tcp any any -> $HOME_NET 1022 (msg: "APACHE cmd pipe bomb"; flags:A+; content: "cgi-bin"; content: ".cmd?%7C"; reference: bugtraq,4335; reference: cve,CVE-2002-0061; classtype: web-application-attack; sid:1510; rev:1;)
redalert tcp any any -> $HOME_NET 1022 (msg: "APACHE bat pipe bomb"; flags:A+; content: "cgi-bin"; content: ".bat?%7C"; reference: bugtraq,4335; reference: cve,CVE-2002-0061; classtype: web-application-attack; sid:1511; rev:1;)

2. send script

server=$1
export p=1024
echo "http://wonderlust.org/cgi-bin/mung.cmd?%7Cdate" | nc -p $p $server 1022
sleep 2
echo "http://wonderlust.org/cgi-bin/mung.bat?%7Cdate" | nc -p $p $server 1022

3. receive script

while treu; do
nc -l -p 1022
done

Test A syslog results, using 1, 2 and 3

May  2 13:33:05 cynosure snort: [1:1511:1] APACHE bat pipe bomb [Classification: Web Application Attack] [Priority: 1]: {TCP} 128.165.114.127:1024 -> 128.165.114.97:1022
 (Where is the cmd one?)

Test B syslog results, reorder the rules so that bat be first.

May  2 13:39:52 cynosure snort: [1:1510:1] APACHE cmd pipe bomb [Classification: Web Application Attack] [Priority: 1]: {TCP} 128.165.114.127:1024 -> 128.165.114.97:1022
 (Where is the bat one?)

Test C syslog results, change step 3 and just send one bat packet.

 (I've been waiting for about 5 minutes, no bat)

Test D syslog results, change step 3 and just send one cmd packet.

May  2 13:47:22 cynosure snort: [1:1510:1] APACHE cmd pipe bomb [Classification: Web Application Attack] [Priority: 1]: {TCP} 128.165.114.127:19 -> 128.165.114.97:1022

So what happens when I remove the #define.

Test A:

May  2 14:04:27 cynosure snort: [1:1511:1] APACHE bat pipe bomb [Classification: Web Application Attack] [Priority: 1]: {TCP} 128.165.114.127:1024 -> 128.165.114.97:1022

Test B:

May  2 14:05:25 cynosure snort: [1:1510:1] APACHE cmd pipe bomb [Classification: Web Application Attack] [Priority: 1]: {TCP} 128.165.114.127:1024 -> 128.165.114.97:1022

Test C:

 (no alert)

Test D:

May  2 14:13:04 cynosure snort: [1:1510:1] APACHE cmd pipe bomb [Classification: Web Application Attack] [Priority: 1]: {TCP} 128.165.114.127:19 -> 128.165.114.97:1022

So, the #define had no effect.


On Wed, May 01, 2002 at 07:47:21PM -0400, Chris Green wrote:
> Phil Wood <cpw at ...86...> writes:
> 
> > Is this a known problem?
> >
> 
> Just mailed Mike a different exmaple brian sent me.  Do you get the
> same symptoms if you comment out #define PATTERN_FAST in
> sp_pattern_match.c?
> 
> There's definately something odd going on with pattern matcher and I'm
> trying to figure them out.  
> >
> > for p in 18 19; do id | nc -p $p server 1022;sleep 2; done
> >
> > Check your logs.  Only the port 18 packet will show up.
> >  
> > Thanks,
> >
> > Phil
> 
> -- 
> Chris Green <cmg at ...81...>
> A good pun is its own reword.

-- 
Phil Wood, cpw at ...86...





More information about the Snort-devel mailing list