[Snort-devel] Bug report - no content match on http_inspect port

elof at ...969... elof at ...969...
Fri Mar 4 09:57:06 EST 2011


Snort doesn't trigger alerts on traffic if that port is included in the 
http_inspect ports.


Example:

A basic rule:

alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established; 
content:"login|3A| root"; sid:1234; rev:1;)

If the snort.conf contain this http_inspect configuration, sid:1234 will 
never trigger even if a packet is seen containing "login: root" from port 
3128. Bug!

preprocessor http_inspect_server: server default profile all ports { 80 
3128 8080 } oversize_dir_length 500 no_alerts


If I remove port 3128 from the configuration and try again, I get an 
alert.

preprocessor http_inspect_server: server default profile all ports { 80 
8080 } oversize_dir_length 500 no_alerts


I tested it using this simple setup:
Server: echo "login: root" | nc -l 3128
Client: nc serverip 3128

When the client connect, I get a logged event using the second config.
When the client connect, I don't get any event using the first config.
This is reproduceable.

Could it be that http_inspect tries to normalise the string "login: root" 
and by doing so breaks it, so that there are no matches?

/Elof




More information about the Snort-devel mailing list