[Snort-devel] Snort 2.0 build13 problem

Lawrence Reed Lawrence.Reed at ...1489...
Mon Oct 28 12:17:15 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am running snort 2.0 build13 on RH 7.3 linux. I am logging to unified
file then using BY rc3 to send the alert to the mysql db. This setup is
working great with one expection.

It looks like the httpflow pre-processor is corrupting packets.  Here is
a packet paylod from ACID.  Notice the server response begining at
offset 1b8.  The amount of server response data included is exaclty the
httpflow depth setting  ( 150 ).

I have included the rule that triggered this alert below for reference.
I have Also included the snort output to show the configuration.

I am going to run without httpflow to see if that helps.

TIA,
Larry

000 : 47 45 54 20 2F 73 69 74 65 61 72 74 2F 63 6F 6C   GET /siteart/col
010 : 62 63 6B 67 72 6F 75 6E 64 2E 6A 70 67 20 48 54   bckground.jpg HT
020 : 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20   TP/1.1..Accept:
030 : 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74   */*..Referer: ht
040 : 74 70 3A 2F 2F 77 77 77 2E 63 6F 72 69 73 2E 6E   tp://www.coris.n
050 : 6F 61 61 2E 67 6F 76 2F 6C 69 62 72 61 72 79 2F   oaa.gov/library/
060 : 77 65 6C 63 6F 6D 65 2E 68 74 6D 6C 0D 0A 41 63   welcome.html..Ac
070 : 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65   cept-Language: e
080 : 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63   n-us..Accept-Enc
090 : 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66   oding: gzip, def
0a0 : 6C 61 74 65 0D 0A 49 66 2D 4D 6F 64 69 66 69 65   late..If-Modifie
0b0 : 64 2D 53 69 6E 63 65 3A 20 54 68 75 2C 20 32 34   d-Since: Thu, 24
0c0 : 20 4F 63 74 20 32 30 30 32 20 31 33 3A 32 38 3A    Oct 2002 13:28:
0d0 : 30 33 20 47 4D 54 0D 0A 49 66 2D 4E 6F 6E 65 2D   03 GMT..If-None-
0e0 : 4D 61 74 63 68 3A 20 22 31 35 64 34 32 34 2D 35   Match: "15d424-5
0f0 : 38 30 2D 33 64 62 37 66 35 36 33 22 0D 0A 55 73   80-3db7f563"..Us
100 : 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C   er-Agent: Mozill
110 : 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C   a/4.0 (compatibl
120 : 65 3B 20 4D 53 49 45 20 35 2E 35 3B 20 57 69 6E   e; MSIE 5.5; Win
130 : 64 6F 77 73 20 4E 54 20 35 2E 30 3B 20 44 69 67   dows NT 5.0; Dig
140 : 45 78 74 3B 20 54 33 31 32 34 36 31 29 0D 0A 48   Ext; T312461)..H
150 : 6F 73 74 3A 20 77 77 77 2E 63 6F 72 69 73 2E 6E   ost: www.coris.n
160 : 6F 61 61 2E 67 6F 76 0D 0A 43 6F 6E 6E 65 63 74   oaa.gov..Connect
170 : 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D   ion: Keep-Alive.
180 : 0A 0D 0A 35 32 33 36 32 30 3B 20 43 41 52 54 49   ...523620;CARTI

~     I don't know what this is

190 : 54 45 4D 53 3D 30 3B 20 43 46 49 44 3D 34 39 31   TEMS=0; CFID=491
1a0 : 31 31 37 31 3B 20 43 46 54 4F 4B 45 4E 3D 36 33   1171; CFTOKEN=63
1b0 : 30 30 30 30 0D 0A 0D 0A 48 54 54 50 2F 31 2E 31   0000....HTTP/1.1

~  server reponse starts here

1c0 : 20 32 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 4D    200 OK..Date: M
1d0 : 6F 6E 2C 20 32 38 20 4F 63 74 20 32 30 30 32 20   on, 28 Oct 2002
1e0 : 31 37 3A 30 37 3A 35 30 20 47 4D 54 0D 0A 53 65   17:07:50 GMT..Se
1f0 : 72 76 65 72 3A 20 41 70 61 63 68 65 2F 31 2E 33   rver: Apache/1.3
200 : 2E 32 30 20 28 55 6E 69 78 29 0D 0A 45 78 70 69   .20 (Unix)..Expi
210 : 72 65 73 3A 20 4D 6F 6E 2C 20 32 38 20 4F 63 74   res: Mon, 28 Oct
220 : 20 32 30 30 32 20 31 37 3A 30 37 3A 35 31 20 47    2002 17:07:51 G
230 : 4D 54 0D 0A 54 72 61 6E 73 66 65 72 2D 45 6E 63   MT..Transfer-Enc
240 : 6F 64 69 6E 67 3A 20 63 68 75 6E 6B 65 64 67 69   oding: chunkedgi

~ server response ends here 150 bytes after start

250 : 66 2C 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D   f, image/x-xbitm
260 : 61 70 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20   ap, image/jpeg,
270 : 69 6D 61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70   image/pjpeg, app
280 : 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D   lication/vnd.ms-
290 : 70 6F 77 65 72 70 6F 69 6E 74 2C 20 61 70 70 6C   powerpoint, appl
2a0 : 69 63 61 74 69 6F 6E 2F 6D 73 77 6F 72 64 2C 20   ication/msword,
2b0 : 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E   application/vnd.
2c0 : 6D 73 2D 65 78 63 65 6C 2C 20 2A 2F 2A 0D 0A 52   ms-excel, */*..R
2d0 : 65 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77   eferer: http://w
2e0 : 77 77                                             ww

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Transfer-Encoding\: chunked"; flow:to_server,established;
content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079; reference:bugtraq,5033;
reference:cve,CAN-2002-0392; sid:1807; rev:1;)

~        --== Initializing Snort ==--
Decoding Ethernet on interface eth2
Parsing Rules file /home/ids/chrooted/snort/conf/snort-experimental.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Initializing Preprocessors!
Initializing Plug-ins!
HttpFlow config:
~    Depth: 150
~    Ports: 80 8080
No arguments to frag2 directive, setting defaults to:
~    Fragment timeout: 60 seconds
~    Fragment memory cap: 4194304 bytes
~    Fragment min_ttl:   0
~    Fragment ttl_limit: 5
~    Fragment Problems: 0
Stream4 config:
~    Stateful inspection: ACTIVE
~    Session statistics: INACTIVE
~    Session timeout: 30 seconds
~    Session memory cap: 8388608 bytes
~    State alerts: INACTIVE
~    Evasion alerts: INACTIVE
~    Scan alerts: ACTIVE
~    Log Flushed Streams: INACTIVE    MinTTL: 1
~    TTL Limit: 5
~    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
~     Reassemble client: ACTIVE
~     Reassemble server: INACTIVE
~     Reassemble ports: 21 23 25 53 80 143 110 111 513 1433
~     Reassembly alerts: ACTIVE
~     Reassembly method: FAVOR_OLD
http_decode arguments:
~    Unicode decoding
~    IIS alternate Unicode decoding
~    IIS double encoding vuln
~    Flip backslash to slash
~    Include additional whitespace separators
~    Ports to decode http on: 80
rpc_decode arguments:
~    Ports to decode RPC on: 111 32771
telnet_decode arguments:
~    Ports to decode telnet on: 21 23 25 119
Conversation Config:
~   KeepStats: 0
~   Conv Count: 32000
~   Timeout   : 60
~   Alert Odd?: 0
~   Allowed IP Protocols:  All

Portscan2 config:
~    log:
/home/ids/chrooted/snort/data/ids5-experimental/20021028.16:51:02/scan.log
~    scanners_max: 3200
~    targets_max: 5000
~    target_limit: 5
~    port_limit: 20
~    timeout: 60
spo_unified /home/ids/chrooted/snort/conf/snort-experimental.conf(461)=>
Lowering limit of 1280MB to 512MB
spo_unified /home/ids/chrooted/snort/conf/snort-experimental.conf(462)=>
Lowering limit of 1280MB to 512MB
Opening
/home/ids/chrooted/snort/data/ids5-experimental/20021028.16:51:02/snort-unified.log.1035823862
1650 Snort rules read...
1650 Option Chains linked into 214 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order:
~        --== Initialization Complete ==--

- -*> Snort! <*-
Version 2.0.0beta (Build 13)



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE9vXY6Qu0Te3qZh3IRAvNsAKCBplD9EQPQDsfG5eZhzZiHPP1q2ACfTN6S
G9a1yh+Tsma/2iorZJvWivs=
=/bi3
-----END PGP SIGNATURE-----





More information about the Snort-devel mailing list