[Snort-devel] Snort Now Available

Eoin Miller eoin.miller at ...3055...
Mon Nov 8 11:57:18 EST 2010

On 11/8/2010 4:45 PM, L0rd Ch0de1m0rt wrote:
> Hello.
> I am still experiencing HTTP stream reassembly issues when trying to
> match across multiple fragmented packets with snort
> Specifically, this happens on a HTTP POST where the headers are in a
> different packet than the POST data. Consider the following rule you
> can use along with scapy to reproduce if you want:
> alert tcp any any ->  $HOME_NET $HTTP_PORTS (msg:"Incoming German POST
> to Batman"; flow:established,to_server; content:"POST"; http_method;
> uricontent:"/batcave/"; uricontent:"unicorns4sourcefire"; content:"|0d
> 0a|Accept-Language: de"; nocase; http_header; content:!"|0d 0a 0d
> 0a|not4batman=true&"; content:!"\; batsecret=sesstoken4robin";
> http_cookie; classtype:trojan-activity; sid:8008135; rev:17;)
> It alerts (b/c all the URI and HTTP header stuffs match in the initial
> packet) but it shouldn't alert b/c the HTTP POST data starts with
> 'not4batman=true&' (but the POST data is in a subsequent packet than
> the one containing the headers).
> Anyone else still having issues or have done more in-depth testing
> with and the HTTP pre-processor?
> -L0rd C.
It was reported a while back by myself directly to SourceFire in late 
August. I provided some PCAP's a few times and I am pretty sure they are 
aware of the issue and are working to resolve it. They have fixed tons 
of other stuff that really helps everyone out and I'm sure a fix for 
this will surface into the publicly released source eventually. It 
appears that the buffers created by the http_inspect preprocessor only 
work at frame level instead of at the stream level. I finally put up a 
blog post about it in late September here:


This is especially bad if you are using rules to block access to certain 
domain names in the http_header buffer when the http_uri is very long 
and the client is using MSIE as that puts the Host header entry at the 
bottom of the http_header. Requests like this are very likely to exceed 
the standard size MTU and get split across multiple frames. There should 
be some chatter on the Snort lists from myself and some of the 
dev/support guys recently as well.

-- Eoin

More information about the Snort-devel mailing list