[Snort-devel] Snort 2.9.0.1 Now Available

Russ Combs rcombs at ...402...
Mon Nov 8 11:54:37 EST 2010


Can you send us a pcap?

On Mon, Nov 8, 2010 at 11:45 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...2499...>wrote:

> Hello.
>
> I am still experiencing HTTP stream reassembly issues when trying to
> match across multiple fragmented packets with snort 2.9.0.1.
>
> Specifically, this happens on a HTTP POST where the headers are in a
> different packet than the POST data. Consider the following rule you
> can use along with scapy to reproduce if you want:
>
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Incoming German POST
> to Batman"; flow:established,to_server; content:"POST"; http_method;
> uricontent:"/batcave/"; uricontent:"unicorns4sourcefire"; content:"|0d
> 0a|Accept-Language: de"; nocase; http_header; content:!"|0d 0a 0d
> 0a|not4batman=true&"; content:!"\; batsecret=sesstoken4robin";
> http_cookie; classtype:trojan-activity; sid:8008135; rev:17;)
>
> It alerts (b/c all the URI and HTTP header stuffs match in the initial
> packet) but it shouldn't alert b/c the HTTP POST data starts with
> 'not4batman=true&' (but the POST data is in a subsequent packet than
> the one containing the headers).
>
> Anyone else still having issues or have done more in-depth testing
> with 2.9.0.1 and the HTTP pre-processor?
>
> -L0rd C.
>
> On Tue, Nov 2, 2010 at 5:34 PM, Steven Sturges
> <steve.sturges at ...402...> wrote:
> > There was an issue in that HTTP inspect wasn't correctly handling
> > raw vs. stream reassembled packets when looking at HTTP response
> > data.  This fix is included in 2901 -- refer to ChangeLog (changes
> > to hi_client.c/hi_server.c).
> >
> > As to the support of 2.8.6, with the release of 2.9.0, 2.8.6.x
> > is no longer supported.  When there is a new "3 digit" release no
> > further patches are made to the previous version of Snort.
> >
> > On 11/1/2010 1:05 PM, L0rd Ch0de1m0rt wrote:
> >> Hello. Does this release fix the issue where the HTTP pre-processor
> >> wasn't properly examining reassembled data across fragmented packets?
> >> (I don't know the exact cause of the bug - maybe it was the other way
> >> around and Stream5 wasn't properly doing the reassebly.)  It was
> >> announced that there would be a patch for that issue, just want to see
> >> if this is it.  If so, when can we expect the 2.8.6.1 patch be
> >> released?  2.8.6.1 is still supported, right?
> >>
> >> Thanks!
> >>
> >> -L0rd C.
> >>
> >> On Mon, Nov 1, 2010 at 11:45 AM, Snort Releases <
> snortreleases at ...835...> wrote:
> >>> Snort 2.9.0.1 is now available on snort.org, at
> >>> http://www.snort.org/snort-downloads/.
> >>>
> >>> 2.9.0 RC & later packages are signed with a new PGP key
> >>> (that is signed with the previous key).
> >>>
> >>> Snort 2.9.0.1 addresses the following:
> >>>
> >>>  * Fixed maximum flowbits configuration parsing to specify the number
> >>>    of bits in accordance with the Snort manual, rather than number of
> >>>    bytes.  If you have 'config flowbits_size' in your snort.conf,
> >>>    double check that it has the correct setting.
> >>>
> >>>  * Fixed a packet size issue with the IPQ and NFQ DAQs.
> >>>
> >>>  * Fixed issue with Stream5 overlap limit processing.
> >>>
> >>>  * Updated the version of LibPCRE bundled with the Windows installer.
> >>>    This update fixes a bug that caused some PCRE matches to fail
> >>>    on Windows.
> >>>
> >>> Please see the Release Notes and ChangeLog for more details.
> >>>
> >>> Please submit bugs, questions, and feedback to
> snort-beta at ...2780...
> >>>
> >>> Happy Snorting!
> >>> The Snort Release Team
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Nokia and AT&T present the 2010 Calling All Innovators-North America
> contest
> >>> Create new apps & games for the Nokia N8 for consumers in  U.S. and
> Canada
> >>> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> marketing
> >>> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi
> Store
> >>> http://p.sf.net/sfu/nokia-dev2dev
> >>> _______________________________________________
> >>> Snort-devel mailing list
> >>> Snort-devel at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20101108/67b75a96/attachment.html>


More information about the Snort-devel mailing list