[Snort-devel] Bug report - no content match on http_inspect port

elof at ...969... elof at ...969...
Fri Mar 4 10:25:22 EST 2011


Yes. But that doesn't really answer any question or fix the problem, does 
it?

Are you saying that snort can no longer do simple pattern matching on all 
traffic that is handled by http_inspect?


If I wanted to, I should be able to alert on the pattern "login: root" 
with a rule WITHOUT any given ports ('alert tcp any any -> any any 
(...)'), and snort should be acting sort of like 'ngrep'.
But for traffic on ports 80 3128 and 8080 snort wouldn't generate any 
event. This is a bug to me.

/Elof


On Fri, 4 Mar 2011, Joel Esler wrote:

> You should only put ports in the http_inspect config that you are running http services on, on your network.
>
> 3128 is a common proxy port, so it's included by default.
>
> Joel
>
> On Mar 4, 2011, at 9:57 AM, elof at ...969... wrote:
>
>>
>> Snort doesn't trigger alerts on traffic if that port is included in the
>> http_inspect ports.
>>
>>
>> Example:
>>
>> A basic rule:
>>
>> alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
>> content:"login|3A| root"; sid:1234; rev:1;)
>>
>> If the snort.conf contain this http_inspect configuration, sid:1234 will
>> never trigger even if a packet is seen containing "login: root" from port
>> 3128. Bug!
>>
>> preprocessor http_inspect_server: server default profile all ports { 80
>> 3128 8080 } oversize_dir_length 500 no_alerts
>>
>>
>> If I remove port 3128 from the configuration and try again, I get an
>> alert.
>>
>> preprocessor http_inspect_server: server default profile all ports { 80
>> 8080 } oversize_dir_length 500 no_alerts
>>
>>
>> I tested it using this simple setup:
>> Server: echo "login: root" | nc -l 3128
>> Client: nc serverip 3128
>>
>> When the client connect, I get a logged event using the second config.
>> When the client connect, I don't get any event using the first config.
>> This is reproduceable.
>>
>> Could it be that http_inspect tries to normalise the string "login: root"
>> and by doing so breaks it, so that there are no matches?
>>
>> /Elof
>>
>> ------------------------------------------------------------------------------
>> What You Don't Know About Data Connectivity CAN Hurt You
>> This paper provides an overview of data connectivity, details
>> its effect on application quality, and explores various alternative
>> solutions. http://p.sf.net/sfu/progress-d2d
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net
>
>
> ------------------------------------------------------------------------------
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list