[Snort-devel] Bug report - no content match on http_inspect port

Joel Esler jesler at ...402...
Fri Mar 4 10:35:45 EST 2011


Traffic that is going to one of the ports that is in the http_inspect preprocessor's configuration is treated as HTTP, yes.

Joel

On Mar 4, 2011, at 10:25 AM, elof at ...969... wrote:

> 
> Yes. But that doesn't really answer any question or fix the problem, does it?
> 
> Are you saying that snort can no longer do simple pattern matching on all traffic that is handled by http_inspect?
> 
> 
> If I wanted to, I should be able to alert on the pattern "login: root" with a rule WITHOUT any given ports ('alert tcp any any -> any any (...)'), and snort should be acting sort of like 'ngrep'.
> But for traffic on ports 80 3128 and 8080 snort wouldn't generate any event. This is a bug to me.
> 
> /Elof
> 
> 
> On Fri, 4 Mar 2011, Joel Esler wrote:
> 
>> You should only put ports in the http_inspect config that you are running http services on, on your network.
>> 
>> 3128 is a common proxy port, so it's included by default.
>> 
>> Joel
>> 
>> On Mar 4, 2011, at 9:57 AM, elof at ...969... wrote:
>> 
>>> 
>>> Snort doesn't trigger alerts on traffic if that port is included in the
>>> http_inspect ports.
>>> 
>>> 
>>> Example:
>>> 
>>> A basic rule:
>>> 
>>> alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
>>> content:"login|3A| root"; sid:1234; rev:1;)
>>> 
>>> If the snort.conf contain this http_inspect configuration, sid:1234 will
>>> never trigger even if a packet is seen containing "login: root" from port
>>> 3128. Bug!
>>> 
>>> preprocessor http_inspect_server: server default profile all ports { 80
>>> 3128 8080 } oversize_dir_length 500 no_alerts
>>> 
>>> 
>>> If I remove port 3128 from the configuration and try again, I get an
>>> alert.
>>> 
>>> preprocessor http_inspect_server: server default profile all ports { 80
>>> 8080 } oversize_dir_length 500 no_alerts
>>> 
>>> 
>>> I tested it using this simple setup:
>>> Server: echo "login: root" | nc -l 3128
>>> Client: nc serverip 3128
>>> 
>>> When the client connect, I get a logged event using the second config.
>>> When the client connect, I don't get any event using the first config.
>>> This is reproduceable.
>>> 
>>> Could it be that http_inspect tries to normalise the string "login: root"
>>> and by doing so breaks it, so that there are no matches?
>>> 
>>> /Elof
>>> 
>>> ------------------------------------------------------------------------------
>>> What You Don't Know About Data Connectivity CAN Hurt You
>>> This paper provides an overview of data connectivity, details
>>> its effect on application quality, and explores various alternative
>>> solutions. http://p.sf.net/sfu/progress-d2d
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 
>> --
>> Joel Esler
>> jesler () sourcefire.com
>> http://blog.snort.org && http://blog.clamav.net
>> 
>> 
>> ------------------------------------------------------------------------------
>> What You Don't Know About Data Connectivity CAN Hurt You
>> This paper provides an overview of data connectivity, details
>> its effect on application quality, and explores various alternative
>> solutions. http://p.sf.net/sfu/progress-d2d
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net





More information about the Snort-devel mailing list