[Snort-sigs] http rule is not always triggering

Sven Wurth swurth at ...2481...
Tue Feb 16 04:56:58 EST 2010


Hi Snort-Sigs,

I saw a strange problem with a http rule, which is not triggering
always.
If I take a rule like this:

drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar";
flow:established,to_server; uricontent:"insert"; nocase;
pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service
http; classtype:web-application-attack; sid:666666;)

go to google.com and search for "insert into", an alert will logged and
the packet gets dropped.
The search takes a really long time and normally I get an timeout, but
sometimes retransmitted packets came through snort and google shows up
the search results.
That's a failure, these packets should never pass snort.

I done a tcpdump on the outer snort interface, if I let snort read these
pcaps the attack will be recognized. But why not in always in the inline
mode?

(snort 2.8.5.2 in inline mode)

Please help me, I have no idea how to debug this...

Best 
Sven 


 







More information about the Snort-sigs mailing list