[Snort-devel] Is this a specification that Snort detects dual events?

kawa kawakawa at ...2628...
Tue Aug 31 22:27:12 EDT 2004


Hi.

I found strange action using http_inspect and i do a report now. 

The action is that snort detects dual events at the same time and same
stream. For Example, when following stream is flowed, Snort detects
dual events. (My Snort is 2.2.0)

============== here ==============
$ telnet webserver 80
GET / HTTP/1.0
Translate: f
User-Agent: Java1.2.1

A A
============== here ==============

============== Snort events ==============
[**] WEB-MISC L3retriever HTTP Probe [**]
[**] WEB-MISC L3retriever HTTP Probe [**]
[**] WEB-IIS view source via translate header [**]
============== Snort events ==============
alert.txt file is snort alert file then.

I think that "WEB-MISC L3retriever HTTP Probe" is excessive. If
signatures are not thease signature but other http signatures, snort
detects dual events. If you can make a signature that detects some
http requests, maybe Snort detects dual events.

However, when following stream is flowed, Snort doesnt detect dual events.
HTTP request body doesnt have "space".

============== here ==============
$ telnet webserver 80
GET / HTTP/1.0
Translate: f
User-Agent: Java1.2.1

AA
============== here ==============

============== Snort events ==============
[**] WEB-MISC L3retriever HTTP Probe [**]
[**] WEB-IIS view source via translate header [**]
============== Snort events ==============

I think that this action is caused by following conditions.
 - include two or more contents in a http packet
 - include "space letter" in HTTP Request Body
 - need using http_inspect
If at least on of these conditons is missing , Snort detects one event.

Im not sure which this action is a specification or a bug. I cant read
a source code and i do only a report. If this action is a specification,
i want to know how Snort doesnt detect dual events in that situation.


My environment
- Snort 2.2.0
- Snort 2.1.2

Regards.


-- 
kawa
kawakawa at ...2628...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: alert.txt
Type: application/octet-stream
Size: 1510 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040831/8d75891a/attachment.obj>


More information about the Snort-devel mailing list