[Snort-devel] BUG: corner case involving http_cookie

Will Metcalf william.metcalf at ...2499...
Wed Mar 10 07:36:42 EST 2010


hmmm I don't think so.  Look at first test.  both rules fire.

Regards,

Will

On Tue, Mar 9, 2010 at 10:31 PM, beenph <beenph at ...2499...> wrote:
> I will try a wild guess, what is your event_queue size like?
>
> Its probably a bug or something  that need clarification regarding
> http_cookie and http_inspect, but mabey http_cookie enable a modifier
> in http_inspect that alter alerting behavior when event_queue is at 1
> (since i guess both "alerts" are part of the same normalized http
> stream)
>
>
> -elz
> ps: didin't run the pcap and rules test.
>
>
> On Tue, Mar 9, 2010 at 11:15 PM, Will Metcalf <william.metcalf at ...2499...> wrote:
>> failing to use the http_cookie modifier on a rule where there is
>> another rule that matches the same packet makes a rule that should
>> fire fail.
>>
>> src/snort -V
>>
>>   ,,_     -*> Snort! <*-
>>  o"  )~   Version 2.8.5.3 (Build 124)
>>   ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>>           Using PCRE version: 7.8 2008-09-05
>>
>>
>> src/snort -k none -q -A console -c etc/snort.conf -l ./ -r oisfsearchnums.pcap
>>
>> #this combo works
>> #alert tcp any any -> any any (msg:"http_client_body";
>> content:"searchword="; uricontent:"/index.php"; nocase;
>> classtype:bad-unknown; sid:59; rev:1;)
>> #alert tcp any any -> any any (msg:"http_cookie match ";
>> content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
>> http_cookie; classtype:bad-unknown; sid:68; rev:1;)
>> #
>> #03/07-21:19:54.242506  [**] [1:59:1] http_client_body [**]
>> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
>> 192.168.100.17:38111 -> 96.43.130.5:80
>> #03/07-21:19:54.242506  [**] [1:68:1] http_cookie match  [**]
>> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
>> 192.168.100.17:38111 -> 96.43.130.5:80
>> #03/07-21:19:54.364173  [**] [1:68:1] http_cookie match  [**]
>> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
>> 192.168.100.17:38111 -> 96.43.130.5:80
>>
>> #the second rule does not fire
>> #alert tcp any any -> any any (msg:"http_client_body + depth";
>> content:"searchword="; uricontent:"/index.php"; nocase;
>> classtype:bad-unknown; sid:59; rev:1;)
>> #alert tcp any any -> any any (msg:"http_cookie match";
>> content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
>> classtype:bad-unknown; sid:68; rev:1;)
>> #
>> #03/07-21:19:54.242506  [**] [1:59:1] http_client_body + depth [**]
>> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
>> 192.168.100.17:38111 -> 96.43.130.5:80
>>
>> #this rule fires when used on it's own.
>> #alert tcp any any -> any any (msg:"http_cookie match";
>> content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
>> classtype:bad-unknown; sid:68; rev:1;)
>> #
>> #03/07-21:19:54.242506  [**] [1:68:1] http_cookie match [**]
>> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
>> 192.168.100.17:38111 -> 96.43.130.5:80
>> #03/07-21:19:54.364173  [**] [1:68:1] http_cookie match [**]
>> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
>> 192.168.100.17:38111 -> 96.43.130.5:80
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>
>




More information about the Snort-devel mailing list