[Snort-devel] NOT content and uricontent="?..." problems in Snort 2.0

Daniel Roelker droelker at ...402...
Mon Mar 3 06:11:10 EST 2003


I tried to reproduce #2, but works fine for me.  Also, for #1 we will need
more information  like build numbers for 1.9 and 2.0, because the rule you
are using includes a within: keyword and there has been some changes to this
code recently, so I think the discrepency may be in there.

Feel free to send packet dumps of these problems, so we can verify them.

Thanks.

Dan

On 2/27/03 5:34 PM, "Radek Mista" <radek at ...63...> wrote:

> Hello,
> 
> I've been running comparison tests between Snort 1.9 and Snort 2.0 and I
> noticed a couple of problems with Snort 2.0.
> 
> 1)  Snort 2.0 did not alert on any rules with NOT content
> (content:!"string"). For example, when run on the same data, Snort 1.9
> reported the following:
> 
> [**] [1:1734:6] FTP USER overflow attempt [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> 05/24-15:38:30.926650 X.X.X.X:61292 -> Y.Y.Y.Y:21
> TCP TTL:126 TOS:0x0 ID:6247 IpLen:20 DgmLen:51 DF
> ***AP*** Seq: 0x859EBD72  Ack: 0xE52E3E23  Win: 0x443F  TcpLen: 20
> 
> Triggered by the following rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt";
> flow:to_server,established,no_stream;  content:"USER "; nocase;
> content:!"|0a|"; within:100; reference:bugtraq,4638;
> reference:cve,CAN-2000-0479; classtype:attempted-admin; sid:1734; rev:6;)
> 
> Whereas Snort 2.0 did not report anything.
> 
> 
> 2) Snort 2.0 did not report any any rules with the question mark (?) as the
> first character of uricontent.  For example, when run on the same data, Snort
> 1.9 reported the following:
> 
> [**] [1:1091:6] WEB-MISC ICQ Webfront HTTP DOS [**]
> [Classification: Web Application Attack] [Priority: 1]
> 05/24-15:47:18.506128 X.X.X.X:3174 -> Y.Y.Y.Y:80
> TCP TTL:127 TOS:0x0 ID:18235 IpLen:20 DgmLen:362 DF
> ***AP*** Seq: 0xF8B60859  Ack: 0xEF4FCFBD  Win: 0x4470  TcpLen: 20
> 
> Triggered by the following rule:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ
> Webfront HTTP DOS"; flow:to_server,established; uricontent:"??????????";
> classtype:web-application-attack; sid:1091;  rev:6;)
> 
> There was no alert coming from Snort 2.0
> 
> I was wondering if anybody experienced similar problems and if somebody is
> working on fixes.
> 
> Thanks,
> 
> Radek
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-- 
Daniel Roelker
Software Engineer
droelker at ...402...

www.sourcefire.com
www.snort.org







More information about the Snort-devel mailing list