[Snort-devel] Snort 2.0 build13 problem

Lawrence Reed Lawrence.Reed at ...1489...
Tue Oct 29 05:53:05 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Thanks Chris,

I will try that next, however I think I might have something else going
wrong.  I ran a test with httpflow shutoff and found similiar results.
~ The following packet was detected by the same rule ( listed below).
~ This packet seems to contain a mix of to_server and to_client data.  In
fact the first 145 bytes appear to be a server response going TO port 80
instead of from port 80.  

What can I do to trace this problem?

- ------------------------------------------------------------------------
10/28/02-20:23:34.605660  {TCP} 192.133.17.45:1412 -> 205.156.54.113:80
[**] [1:1807:1] WEB-MISC Transfer-Encoding\: chunked [**]
[Classification: Web Application Attack] [Priority: 1]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392]
[Xref => http://www.securityfocus.com/bid/5033]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079]
[Xref => http://www.securityfocus.com/bid/4474]
- ------------------------------------------------------------------------


000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200 OK.
010 : 0A 53 65 72 76 65 72 3A 20 4E 65 74 73 63 61 70   .Server: Netscap
020 : 65 2D 45 6E 74 65 72 70 72 69 73 65 2F 36 2E 30   e-Enterprise/6.0
030 : 0D 0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 32 38 20   ..Date: Mon, 28
040 : 4F 63 74 20 32 30 30 32 20 32 30 3A 32 33 3A 33   Oct 2002 20:23:3
050 : 39 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 74   9 GMT..Content-t
060 : 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D 0A   ype: text/html..
070 : 54 72 61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E   Transfer-Encodin
080 : 67 3A 20 63 68 75 6E 6B 65 64 0D 0A 0D 0A 31 64   g: chunked....1d
090 : 63 38 0D 0A 3C 68 74 6D 6C 3E 20 3C 68 65 61 64   c8..<html> <head
0a0 : 3E 20 3C 54 49 54 4C 45 3E 77 61 73 68 69 6E 67   > <TITLE>washing
0b0 : 74 6F 6E 70 6F 73 74 2E 63 6F 6D 20 2D 20 4E 65   tonpost.com - Ne
0c0 : 77 73 20 46 72 6F 6E 74 3C 2F 54 49 54 4C 45 3E   ws Front</TITLE>
0d0 : 20 3C 6C 69 6E 6B 20 72 65 6C 3D 22 73 74 79 6C    <link rel="styl
0e0 : 65 73 68 65 65 74 22 20 74 79 70 65 3D 22 74 65   esheet" type="te
0f0 : 78 74 2F 63 73 73 22 20 68 72 65 66 3D 22 68 74   xt/css" href="ht
100 : 74 70 3A 2F 2F 77 77 77 2E 77 61 73 47 45 54 20   tp://www.wasGET
110 : 2F 73 68 61 72 65 64 2F 4E 65 74 43 68 61 72 74   /shared/NetChart
120 : 73 34 2E 30 2F 63 6C 61 73 73 65 73 2F 6E 65 74   s4.0/classes/net
130 : 63 68 61 72 74 73 34 2F 75 74 69 6C 2F 4E 46 4B   charts4/util/NFK
140 : 65 79 56 61 6C 75 65 2E 63 6C 61 73 73 20 48 54   eyValue.class HT
150 : 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 2D 4C   TP/1.1..Accept-L
160 : 61 6E 67 75 61 67 65 3A 20 65 6E 0D 0A 41 63 63   anguage: en..Acc
170 : 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 20   ept: text/html,
180 : 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67 65   image/gif, image
190 : 2F 6A 70 65 67 2C 20 2A 3B 20 71 3D 2E 32 2C 20   /jpeg, *; q=.2,
1a0 : 2A 2F 2A 3B 20 71 3D 2E 32 0D 0A 55 73 65 72 2D   */*; q=.2..User-
1b0 : 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34   Agent: Mozilla/4
1c0 : 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20   .0 (compatible;
1d0 : 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 33 32 29   MSIE 6.0; Win32)
1e0 : 0D 0A 48 6F 73 74 3A 20 64 69 70 70 65 72 2E 6E   ..Host: dipper.n
1f0 : 77 73 2E 6E 6F 61 61 2E 67 6F 76 0D 0A 43 6F 6E   ws.noaa.gov..Con
200 : 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C   nection: Keep-Al
210 : 69 76 65 0D 0A 0D 0A 47 45 54 20                  ive....GET

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Transfer-Encoding\: chunked"; flow:to_server,established;
content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079; reference:bugtraq,5033;
reference:cve,CAN-2002-0392; sid:1807; rev:1;)


Chris Green wrote:

|"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:
|
|>I am running snort 2.0 build13 on RH 7.3 linux. I am logging to unified
|>file then using BY rc3 to send the alert to the mysql db. This setup is
|>working great with one expection.
|>
|>It looks like the httpflow pre-processor is corrupting packets.  Here is
|>a packet paylod from ACID.  Notice the server response begining at
|>offset 1b8.  The amount of server response data included is exaclty the
|>httpflow depth setting  ( 150 ).
|>
|>I have included the rule that triggered this alert below for reference.
|>I have Also included the snort output to show the configuration.
|>
|>I am going to run without httpflow to see if that helps.
|
|
|Thanks Lawrence,
|
|I think this is an unexpected interaction between stream4 & httpflow.
|
|Try moving the httpflow preprocessor behind frag2 and stream4 in your
|snort.conf.  If that is already the case, please attach your snort.conf

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE9vmjHQu0Te3qZh3IRAuulAJoDNmSiimgi93xzhRIC9EsoYHnRHACcDYqm
fNChyKWjDQd0sf9Lr+ED2NA=
=CKRp
-----END PGP SIGNATURE-----






More information about the Snort-devel mailing list