[Snort-devel] Bug report - no content match on http_inspect port

elof at ...969... elof at ...969...
Mon Mar 7 12:07:55 EST 2011


Hi Ryan.

Yes, but in this case 'rawbytes' don't help since the pattern I stated 
already was in the native (most normalized) form.
If I had been looking for the specific pattern 'login%3a root' 
(a non-normalized colon) in e.g. an URL, I would have used the 
'rawbytes' keyword.


Anyhow, I'm having a conversation with the http_inspect developer right 
now. He has got my full snort configuration.
I can repeat the issue every time. (no alerts are logged when the 
http_inspect configuration includes the 3128 port, but as soon as I remove 
it from the configuration (no other changes what so ever), the signature 
start triggering on the same test-pattern.

/Elof


On Fri, 4 Mar 2011, Ryan Jordan wrote:

> Elof,
>
> When you put a port number in the preprocessor's config, the
> preprocessor will normalize traffic on that port.
>
> You can use the "rawbytes" content modifier in your rule to specify
> that you want the non-normalized payload.
>
> alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
> content:"login|3A| root"; rawbytes; sid:1234; rev:1;)
>
> This behavior is intentional.
>
> -Ryan
>
> On Fri, Mar 4, 2011 at 11:47 AM,  <elof at ...969...> wrote:
>> Joel,
>> Why do you keep stating the obvious and ignore the issue?
>>
>> Yes, 3128 is a proxy port. Yes traffic that I have configured to be
>> inspected by http_inspect is treated as HTTP.
>>
>> My bug report is that the normalisation of the packet might destroy it,
>> or something else fails. Because apparently a pattern match don't work.
>>
>> Are you saying I can't simply look for the pattern "foo: bar" in any
>> packet or stream if the port/stream is handled by http_inspect?
>>
>> /Elof
>>
>>
>> On Fri, 4 Mar 2011, Joel Esler wrote:
>>
>>> Traffic that is going to one of the ports that is in the http_inspect preprocessor's configuration is treated as HTTP, yes.
>>>
>>> Joel
>>>
>>> On Mar 4, 2011, at 10:25 AM, elof at ...969... wrote:
>>>
>>>>
>>>> Yes. But that doesn't really answer any question or fix the problem, does it?
>>>>
>>>> Are you saying that snort can no longer do simple pattern matching on all traffic that is handled by http_inspect?
>>>>
>>>>
>>>> If I wanted to, I should be able to alert on the pattern "login: root" with a rule WITHOUT any given ports ('alert tcp any any -> any any (...)'), and snort should be acting sort of like 'ngrep'.
>>>> But for traffic on ports 80 3128 and 8080 snort wouldn't generate any event. This is a bug to me.
>>>>
>>>> /Elof
>>>>
>>>>
>>>> On Fri, 4 Mar 2011, Joel Esler wrote:
>>>>
>>>>> You should only put ports in the http_inspect config that you are running http services on, on your network.
>>>>>
>>>>> 3128 is a common proxy port, so it's included by default.
>>>>>
>>>>> Joel
>>>>>
>>>>> On Mar 4, 2011, at 9:57 AM, elof at ...969... wrote:
>>>>>
>>>>>>
>>>>>> Snort doesn't trigger alerts on traffic if that port is included in the
>>>>>> http_inspect ports.
>>>>>>
>>>>>>
>>>>>> Example:
>>>>>>
>>>>>> A basic rule:
>>>>>>
>>>>>> alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established;
>>>>>> content:"login|3A| root"; sid:1234; rev:1;)
>>>>>>
>>>>>> If the snort.conf contain this http_inspect configuration, sid:1234 will
>>>>>> never trigger even if a packet is seen containing "login: root" from port
>>>>>> 3128. Bug!
>>>>>>
>>>>>> preprocessor http_inspect_server: server default profile all ports { 80
>>>>>> 3128 8080 } oversize_dir_length 500 no_alerts
>>>>>>
>>>>>>
>>>>>> If I remove port 3128 from the configuration and try again, I get an
>>>>>> alert.
>>>>>>
>>>>>> preprocessor http_inspect_server: server default profile all ports { 80
>>>>>> 8080 } oversize_dir_length 500 no_alerts
>>>>>>
>>>>>>
>>>>>> I tested it using this simple setup:
>>>>>> Server: echo "login: root" | nc -l 3128
>>>>>> Client: nc serverip 3128
>>>>>>
>>>>>> When the client connect, I get a logged event using the second config.
>>>>>> When the client connect, I don't get any event using the first config.
>>>>>> This is reproduceable.
>>>>>>
>>>>>> Could it be that http_inspect tries to normalise the string "login: root"
>>>>>> and by doing so breaks it, so that there are no matches?
>>>>>>
>>>>>> /Elof
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> What You Don't Know About Data Connectivity CAN Hurt You
>>>>>> This paper provides an overview of data connectivity, details
>>>>>> its effect on application quality, and explores various alternative
>>>>>> solutions. http://p.sf.net/sfu/progress-d2d
>>>>>> _______________________________________________
>>>>>> Snort-devel mailing list
>>>>>> Snort-devel at lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>
>>>>> --
>>>>> Joel Esler
>>>>> jesler () sourcefire.com
>>>>> http://blog.snort.org && http://blog.clamav.net
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> What You Don't Know About Data Connectivity CAN Hurt You
>>>>> This paper provides an overview of data connectivity, details
>>>>> its effect on application quality, and explores various alternative
>>>>> solutions. http://p.sf.net/sfu/progress-d2d
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>
>>>
>>> --
>>> Joel Esler
>>> jesler () sourcefire.com
>>> http://blog.snort.org && http://blog.clamav.net
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> What You Don't Know About Data Connectivity CAN Hurt You
>> This paper provides an overview of data connectivity, details
>> its effect on application quality, and explores various alternative
>> solutions. http://p.sf.net/sfu/progress-d2d
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
> ------------------------------------------------------------------------------
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list