[Snort-sigs] http rule is not always triggering

JJ Cummings cummingsj at ...2420...
Tue Feb 16 11:27:55 EST 2010


If you look at this rule and read it "specifically it's directionality" you
will note that it is intended to detect / prevent the string in question
against your servers (HTTP_SERVERS) so unless you have all of the
google.comservers defined as your var HTTP_SERVERS you will see the
behavior that you
are noting.  Note also the use of HTTP_PORTS, as such (assuming you have
defined your EXTERNAL_NET and HOME_NET or HTTP_SERVERS) you would have to
make a request out from the client on one of the defined HTTP_PORTS, this
way snort would catch the reply from google on the monitored ports list....
make sense?

Beyond that, there are a number of reasons that you may be missing event
generating packets.. from dropped packets to asymmetric routing and beyond..
The short of it is that more info would be useful, but it appears that what
you are trying to simulate to generate this event will not reliably do so.

JJC

On Tue, Feb 16, 2010 at 2:56 AM, Sven Wurth <swurth at ...2481...> wrote:

> Hi Snort-Sigs,
>
> I saw a strange problem with a http rule, which is not triggering
> always.
> If I take a rule like this:
>
> drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar";
> flow:established,to_server; uricontent:"insert"; nocase;
> pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service
> http; classtype:web-application-attack; sid:666666;)
>
> go to google.com and search for "insert into", an alert will logged and
> the packet gets dropped.
> The search takes a really long time and normally I get an timeout, but
> sometimes retransmitted packets came through snort and google shows up
> the search results.
> That's a failure, these packets should never pass snort.
>
> I done a tcpdump on the outer snort interface, if I let snort read these
> pcaps the attack will be recognized. But why not in always in the inline
> mode?
>
> (snort 2.8.5.2 in inline mode)
>
> Please help me, I have no idea how to debug this...
>
> Best
> Sven
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100216/242ea23f/attachment.html>


More information about the Snort-sigs mailing list