[Snort-sigs] http rule is not always triggering
swurth at ...2481...
Tue Feb 16 04:56:58 EST 2010
I saw a strange problem with a http rule, which is not triggering
If I take a rule like this:
drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar";
flow:established,to_server; uricontent:"insert"; nocase;
pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service
http; classtype:web-application-attack; sid:666666;)
go to google.com and search for "insert into", an alert will logged and
the packet gets dropped.
The search takes a really long time and normally I get an timeout, but
sometimes retransmitted packets came through snort and google shows up
the search results.
That's a failure, these packets should never pass snort.
I done a tcpdump on the outer snort interface, if I let snort read these
pcaps the attack will be recognized. But why not in always in the inline
(snort 184.108.40.206 in inline mode)
Please help me, I have no idea how to debug this...
More information about the Snort-sigs