[Snort-devel] Bug report - no content match on http_inspect port

Ryan Jordan ryan.jordan at ...402...
Fri Mar 4 12:12:56 EST 2011


Elof,

When you put a port number in the preprocessor's config, the
preprocessor will normalize traffic on that port.

You can use the "rawbytes" content modifier in your rule to specify
that you want the non-normalized payload.

alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
content:"login|3A| root"; rawbytes; sid:1234; rev:1;)

This behavior is intentional.

-Ryan

On Fri, Mar 4, 2011 at 11:47 AM,  <elof at ...969...> wrote:
> Joel,
> Why do you keep stating the obvious and ignore the issue?
>
> Yes, 3128 is a proxy port. Yes traffic that I have configured to be
> inspected by http_inspect is treated as HTTP.
>
> My bug report is that the normalisation of the packet might destroy it,
> or something else fails. Because apparently a pattern match don't work.
>
> Are you saying I can't simply look for the pattern "foo: bar" in any
> packet or stream if the port/stream is handled by http_inspect?
>
> /Elof
>
>
> On Fri, 4 Mar 2011, Joel Esler wrote:
>
>> Traffic that is going to one of the ports that is in the http_inspect preprocessor's configuration is treated as HTTP, yes.
>>
>> Joel
>>
>> On Mar 4, 2011, at 10:25 AM, elof at ...969... wrote:
>>
>>>
>>> Yes. But that doesn't really answer any question or fix the problem, does it?
>>>
>>> Are you saying that snort can no longer do simple pattern matching on all traffic that is handled by http_inspect?
>>>
>>>
>>> If I wanted to, I should be able to alert on the pattern "login: root" with a rule WITHOUT any given ports ('alert tcp any any -> any any (...)'), and snort should be acting sort of like 'ngrep'.
>>> But for traffic on ports 80 3128 and 8080 snort wouldn't generate any event. This is a bug to me.
>>>
>>> /Elof
>>>
>>>
>>> On Fri, 4 Mar 2011, Joel Esler wrote:
>>>
>>>> You should only put ports in the http_inspect config that you are running http services on, on your network.
>>>>
>>>> 3128 is a common proxy port, so it's included by default.
>>>>
>>>> Joel
>>>>
>>>> On Mar 4, 2011, at 9:57 AM, elof at ...969... wrote:
>>>>
>>>>>
>>>>> Snort doesn't trigger alerts on traffic if that port is included in the
>>>>> http_inspect ports.
>>>>>
>>>>>
>>>>> Example:
>>>>>
>>>>> A basic rule:
>>>>>
>>>>> alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
>>>>> content:"login|3A| root"; sid:1234; rev:1;)
>>>>>
>>>>> If the snort.conf contain this http_inspect configuration, sid:1234 will
>>>>> never trigger even if a packet is seen containing "login: root" from port
>>>>> 3128. Bug!
>>>>>
>>>>> preprocessor http_inspect_server: server default profile all ports { 80
>>>>> 3128 8080 } oversize_dir_length 500 no_alerts
>>>>>
>>>>>
>>>>> If I remove port 3128 from the configuration and try again, I get an
>>>>> alert.
>>>>>
>>>>> preprocessor http_inspect_server: server default profile all ports { 80
>>>>> 8080 } oversize_dir_length 500 no_alerts
>>>>>
>>>>>
>>>>> I tested it using this simple setup:
>>>>> Server: echo "login: root" | nc -l 3128
>>>>> Client: nc serverip 3128
>>>>>
>>>>> When the client connect, I get a logged event using the second config.
>>>>> When the client connect, I don't get any event using the first config.
>>>>> This is reproduceable.
>>>>>
>>>>> Could it be that http_inspect tries to normalise the string "login: root"
>>>>> and by doing so breaks it, so that there are no matches?
>>>>>
>>>>> /Elof
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> What You Don't Know About Data Connectivity CAN Hurt You
>>>>> This paper provides an overview of data connectivity, details
>>>>> its effect on application quality, and explores various alternative
>>>>> solutions. http://p.sf.net/sfu/progress-d2d
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>
>>>> --
>>>> Joel Esler
>>>> jesler () sourcefire.com
>>>> http://blog.snort.org && http://blog.clamav.net
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> What You Don't Know About Data Connectivity CAN Hurt You
>>>> This paper provides an overview of data connectivity, details
>>>> its effect on application quality, and explores various alternative
>>>> solutions. http://p.sf.net/sfu/progress-d2d
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>
>>
>> --
>> Joel Esler
>> jesler () sourcefire.com
>> http://blog.snort.org && http://blog.clamav.net
>>
>>
>
> ------------------------------------------------------------------------------
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list