[Snort-devel] Bug report - no content match on http_inspect port

Joel Esler jesler at ...402...
Fri Mar 4 10:06:58 EST 2011


You should only put ports in the http_inspect config that you are running http services on, on your network.

3128 is a common proxy port, so it's included by default.

Joel

On Mar 4, 2011, at 9:57 AM, elof at ...969... wrote:

> 
> Snort doesn't trigger alerts on traffic if that port is included in the 
> http_inspect ports.
> 
> 
> Example:
> 
> A basic rule:
> 
> alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established; 
> content:"login|3A| root"; sid:1234; rev:1;)
> 
> If the snort.conf contain this http_inspect configuration, sid:1234 will 
> never trigger even if a packet is seen containing "login: root" from port 
> 3128. Bug!
> 
> preprocessor http_inspect_server: server default profile all ports { 80 
> 3128 8080 } oversize_dir_length 500 no_alerts
> 
> 
> If I remove port 3128 from the configuration and try again, I get an 
> alert.
> 
> preprocessor http_inspect_server: server default profile all ports { 80 
> 8080 } oversize_dir_length 500 no_alerts
> 
> 
> I tested it using this simple setup:
> Server: echo "login: root" | nc -l 3128
> Client: nc serverip 3128
> 
> When the client connect, I get a logged event using the second config.
> When the client connect, I don't get any event using the first config.
> This is reproduceable.
> 
> Could it be that http_inspect tries to normalise the string "login: root" 
> and by doing so breaks it, so that there are no matches?
> 
> /Elof
> 
> ------------------------------------------------------------------------------
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net





More information about the Snort-devel mailing list