[Snort-sigs] Snort 2.8.6 and gzip decoding functionality not working for me

Matt Watchinski mwatchinski at ...435...
Tue May 4 17:01:51 EDT 2010


Looks like you only have 80 on ports client, remove it from there and
add it to both.

Something like.

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
yes, track_icmp no
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
        161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667
6668 6669 \
        7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
    ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128
6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \
        7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918
7919 7920 8000 8008 8028 8080 8180 8888 9999
preprocessor stream5_udp: timeout 180

Cheers,
-matt

On Tue, May 4, 2010 at 4:31 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...2420...> wrote:
> Matts, thanks for the responses.  Using the config options that
> Watchinski provided yielded the same results as initially described.
> Bhagya, I think I have streams enabled; please correct me if I am
> wrong:
>
> # cat /etc/snort/snort.conf | grep -i -A 10 stream
> # Target-Based stateful inspection/stream reassembly.  For more
> inforation, see README.stream5
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
> yes, track_icmp no
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
>   overlap_limit 10, check_session_hijacking, small_segments 3 bytes
> 150, timeout 180, \
>   ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136
> 137 139 143 110 \
>      111 161 445 513 514 691 1220 1433 1521 2100 2301 3128 3306 6665
> 6666 6667 6668 6669 \
>      7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775
> 32776 32777 32778 32779, \
>   ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
> 7902 7903 7904 7905 \
>      7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
> preprocessor stream5_udp: timeout 180
>
> # performance statistics.  For more information, see the Snort Manual,
> Configuring Snort - Preprocessors - Performance Monitor
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
>
> # HTTP normalization and anomaly detection.  For more information, see
> README.http_inspect
> # preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 20480 decompress_depth 20480
> preprocessor http_inspect_server: server default \
>   apache_whitespace no \
>   ascii no \
>
> As for pcaps, yes they can be provided but I have looked in to them
> myself and have confirmed the behaviour described.  I am concerned
> about anonamyzing them since the google javascript data may contain
> PII in the URI and/or cookies.  Do you know of a good site that uses
> gzip without PII that I can use to test and give you pcaps?
>
> Thanks again.
>
> Cheers,
>
> -L0rd Ch0de1m0rt
>
> On Tue, May 4, 2010 at 3:18 PM, Bhagya Bantwal <bbantwal at ...435...> wrote:
>> Turning on stream reassembly might be useful too.
>>
>> Do you have a pcap we could look into?
>>
>>
>> -B
>>
>> On Tue, May 4, 2010 at 3:40 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...3422.....>
>> wrote:
>>>
>>> Hello.  I am experimenting with snort v2.8.6 and hope to benefit from
>>> its gzip decoding capabilities.  However, I have been unsuccessful so
>>> far in getting it to work.  I am fetching a javascript file from
>>> google and clearly it is encoding it using gzip.  This rule alerts me:
>>>
>>> alert tcp any any -> any any (msg:"gzip encoding detected from
>>> server"; flow:established,from_server; content:"|0d
>>> 0a|Content-Encoding: gzip|0d 0a|"; nocase; classtype:attempted-user;
>>> sid:3141591; rev:1;)
>>>
>>> BUT this rule does not alert when it is clearly in the gzip decoded data:
>>>
>>> alert tcp any any -> any any (msg:"detected on gzip decoded data from
>>> Google"; flow:established,from_server; content:"google.isOpera=false";
>>> nocase; classtype:attempted-user; sid:3141592; rev:1;)
>>>
>>> I am using the defaults for the gzip portion of the http_inspect
>>> preprocessor and the content trying to be matched
>>> (google.isOpera=false) is in the first few hundred bytes of the data.
>>> Here is my snort.conf http_inspect details:
>>>
>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>> preprocessor http_inspect_server: server default \
>>>   apache_whitespace no \
>>>   ascii no \
>>>        bare_byte no \
>>>        chunk_length 500000 \
>>>   server_flow_depth 0 \
>>>   client_flow_depth 0 \
>>>   post_depth 65495 \
>>>        directory no \
>>>        double_decode no \
>>>        iis_backslash no \
>>>        iis_delimiter no \
>>>        iis_unicode no \
>>>        multi_slash no \
>>>        non_strict \
>>>        oversize_dir_length 500 \
>>>        ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180
>>> 8888 9999 } \
>>>        u_encode yes \
>>>        non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>        webroot no \
>>>        extended_response_inspection \
>>>        inspect_gzip
>>>
>>> I configured snort with --enable-zlib before I compiled and I get this
>>> on snort startup:
>>>
>>> Using ZLIB version: 1.2.3.3
>>>
>>> What am I doing wrong here?  Thanks for any help.
>>>
>>> Cheers,
>>>
>>> -L0rd Ch0de1m0rt
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list