[Snort-sigs] http rule is not always triggering

Sven Wurth swurth at ...2481...
Thu Feb 18 02:53:56 EST 2010


Hi JCC,

@first thanks for your reply

More details are no problem,
due my variables (all are set to ANY) you can read the rule like this:

drop any any -> any 80 (msg:"foobar";
flow:established,to_server; uricontent:"insert"; nocase;
pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service
http; classtype:web-application-attack; sid:666666;)

and  99% of my request to google gets dropped, this is working.
The problem is that not 100% gets dropped.

My Environment looks like this: 
$XP=Windows XP machine with IE6 which request the google search 'insert into' 
$SNORTINLINES=Snort 2.8.5.2, inline mode, 2 interfaces, masquerade, all traffic goes to the iptables queue target
$SNORT2=Snort 2.8.5.2, pcap mode, 2 interfaces, masquerade

$XP -> $SNORTINLINE -> $SNORT2 -> Internet

I tcpdump all the traffic on $SNORT2 sensor.

Now I do some google searches for "insert into" on $XP,
at the moment that google shows me the results the attack came through!
And not only on $SNORTINLINE, this attack also passes the $SNORT2 sensor.

How can I say that?
Because I dumped all the traffic on $SNORT2 and if I start on $SNORTINLINE or $SNORT2 snort with '--pcap-single -A cmg'
I see the alerts for the missed attack's!

Best Sven





From: jcummings at ...435... [mailto:jcummings at ...435...] On Behalf Of JJ Cummings
Sent: Tuesday, February 16, 2010 5:28 PM
To: Sven Wurth
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] http rule is not always triggering

If you look at this rule and read it "specifically it's directionality" you will note that it is intended to detect / prevent the string in question against your servers (HTTP_SERVERS) so unless you have all of the google.com servers defined as your var HTTP_SERVERS you will see the behavior that you are noting.  Note also the use of HTTP_PORTS, as such (assuming you have defined your EXTERNAL_NET and HOME_NET or HTTP_SERVERS) you would have to make a request out from the client on one of the defined HTTP_PORTS, this way snort would catch the reply from google on the monitored ports list.... make sense?

Beyond that, there are a number of reasons that you may be missing event generating packets.. from dropped packets to asymmetric routing and beyond.. The short of it is that more info would be useful, but it appears that what you are trying to simulate to generate this event will not reliably do so.

JJC
On Tue, Feb 16, 2010 at 2:56 AM, Sven Wurth <swurth at ...2481...> wrote:
Hi Snort-Sigs,

I saw a strange problem with a http rule, which is not triggering
always.
If I take a rule like this:

drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar";
flow:established,to_server; uricontent:"insert"; nocase;
pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service
http; classtype:web-application-attack; sid:666666;)

go to google.com and search for "insert into", an alert will logged and
the packet gets dropped.
The search takes a really long time and normally I get an timeout, but
sometimes retransmitted packets came through snort and google shows up
the search results.
That's a failure, these packets should never pass snort.

I done a tcpdump on the outer snort interface, if I let snort read these
pcaps the attack will be recognized. But why not in always in the inline
mode?

(snort 2.8.5.2 in inline mode)

Please help me, I have no idea how to debug this...

Best
Sven







------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs







More information about the Snort-sigs mailing list