[Snort-devel] Bug report - no content match on http_inspect port

elof at ...969... elof at ...969...
Fri Mar 4 11:47:01 EST 2011


Joel, 
Why do you keep stating the obvious and ignore the issue?

Yes, 3128 is a proxy port. Yes traffic that I have configured to be 
inspected by http_inspect is treated as HTTP.

My bug report is that the normalisation of the packet might destroy it, 
or something else fails. Because apparently a pattern match don't work.

Are you saying I can't simply look for the pattern "foo: bar" in any 
packet or stream if the port/stream is handled by http_inspect?

/Elof


On Fri, 4 Mar 2011, Joel Esler wrote:

> Traffic that is going to one of the ports that is in the http_inspect preprocessor's configuration is treated as HTTP, yes.
>
> Joel
>
> On Mar 4, 2011, at 10:25 AM, elof at ...969... wrote:
>
>>
>> Yes. But that doesn't really answer any question or fix the problem, does it?
>>
>> Are you saying that snort can no longer do simple pattern matching on all traffic that is handled by http_inspect?
>>
>>
>> If I wanted to, I should be able to alert on the pattern "login: root" with a rule WITHOUT any given ports ('alert tcp any any -> any any (...)'), and snort should be acting sort of like 'ngrep'.
>> But for traffic on ports 80 3128 and 8080 snort wouldn't generate any event. This is a bug to me.
>>
>> /Elof
>>
>>
>> On Fri, 4 Mar 2011, Joel Esler wrote:
>>
>>> You should only put ports in the http_inspect config that you are running http services on, on your network.
>>>
>>> 3128 is a common proxy port, so it's included by default.
>>>
>>> Joel
>>>
>>> On Mar 4, 2011, at 9:57 AM, elof at ...969... wrote:
>>>
>>>>
>>>> Snort doesn't trigger alerts on traffic if that port is included in the
>>>> http_inspect ports.
>>>>
>>>>
>>>> Example:
>>>>
>>>> A basic rule:
>>>>
>>>> alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
>>>> content:"login|3A| root"; sid:1234; rev:1;)
>>>>
>>>> If the snort.conf contain this http_inspect configuration, sid:1234 will
>>>> never trigger even if a packet is seen containing "login: root" from port
>>>> 3128. Bug!
>>>>
>>>> preprocessor http_inspect_server: server default profile all ports { 80
>>>> 3128 8080 } oversize_dir_length 500 no_alerts
>>>>
>>>>
>>>> If I remove port 3128 from the configuration and try again, I get an
>>>> alert.
>>>>
>>>> preprocessor http_inspect_server: server default profile all ports { 80
>>>> 8080 } oversize_dir_length 500 no_alerts
>>>>
>>>>
>>>> I tested it using this simple setup:
>>>> Server: echo "login: root" | nc -l 3128
>>>> Client: nc serverip 3128
>>>>
>>>> When the client connect, I get a logged event using the second config.
>>>> When the client connect, I don't get any event using the first config.
>>>> This is reproduceable.
>>>>
>>>> Could it be that http_inspect tries to normalise the string "login: root"
>>>> and by doing so breaks it, so that there are no matches?
>>>>
>>>> /Elof
>>>>
>>>> ------------------------------------------------------------------------------
>>>> What You Don't Know About Data Connectivity CAN Hurt You
>>>> This paper provides an overview of data connectivity, details
>>>> its effect on application quality, and explores various alternative
>>>> solutions. http://p.sf.net/sfu/progress-d2d
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>> --
>>> Joel Esler
>>> jesler () sourcefire.com
>>> http://blog.snort.org && http://blog.clamav.net
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> What You Don't Know About Data Connectivity CAN Hurt You
>>> This paper provides an overview of data connectivity, details
>>> its effect on application quality, and explores various alternative
>>> solutions. http://p.sf.net/sfu/progress-d2d
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net
>
>




More information about the Snort-devel mailing list