[Snort-sigs] Snort 2.8.6 and gzip decoding functionality not working for me

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Wed May 5 17:45:30 EDT 2010


Hello.  Thanks Matt, that did the trick.  I suppose I need to read up
on the streams preprocessor now.  Seems strange that port 80 would be
in client only by default, especially now that gzip decompress is
possible with snort.

Thanks again.

Cheers.

-L0rd Ch0de1m0r

On Tue, May 4, 2010 at 4:01 PM, Matt Watchinski
<mwatchinski at ...435...> wrote:
> Looks like you only have 80 on ports client, remove it from there and
> add it to both.
>
> Something like.
>
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
> yes, track_icmp no
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
>   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
>        161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667
> 6668 6669 \
>        7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
>    ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128
> 6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \
>        7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918
> 7919 7920 8000 8008 8028 8080 8180 8888 9999
> preprocessor stream5_udp: timeout 180
>
> Cheers,
> -matt
>
> On Tue, May 4, 2010 at 4:31 PM, L0rd Ch0de1m0rt
> <l0rdch0de1m0rt at ...2420...> wrote:
>> Matts, thanks for the responses.  Using the config options that
>> Watchinski provided yielded the same results as initially described.
>> Bhagya, I think I have streams enabled; please correct me if I am
>> wrong:
>>
>> # cat /etc/snort/snort.conf | grep -i -A 10 stream
>> # Target-Based stateful inspection/stream reassembly.  For more
>> inforation, see README.stream5
>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
>> yes, track_icmp no
>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
>>   overlap_limit 10, check_session_hijacking, small_segments 3 bytes
>> 150, timeout 180, \
>>   ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136
>> 137 139 143 110 \
>>      111 161 445 513 514 691 1220 1433 1521 2100 2301 3128 3306 6665
>> 6666 6667 6668 6669 \
>>      7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775
>> 32776 32777 32778 32779, \
>>   ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
>> 7902 7903 7904 7905 \
>>      7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
>> preprocessor stream5_udp: timeout 180
>>
>> # performance statistics.  For more information, see the Snort Manual,
>> Configuring Snort - Preprocessors - Performance Monitor
>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
>>
>> # HTTP normalization and anomaly detection.  For more information, see
>> README.http_inspect
>> # preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> compress_depth 20480 decompress_depth 20480
>> preprocessor http_inspect_server: server default \
>>   apache_whitespace no \
>>   ascii no \
>>
>> As for pcaps, yes they can be provided but I have looked in to them
>> myself and have confirmed the behaviour described.  I am concerned
>> about anonamyzing them since the google javascript data may contain
>> PII in the URI and/or cookies.  Do you know of a good site that uses
>> gzip without PII that I can use to test and give you pcaps?
>>
>> Thanks again.
>>
>> Cheers,
>>
>> -L0rd Ch0de1m0rt
>>
>> On Tue, May 4, 2010 at 3:18 PM, Bhagya Bantwal <bbantwal at ...435...> wrote:
>>> Turning on stream reassembly might be useful too.
>>>
>>> Do you have a pcap we could look into?
>>>
>>>
>>> -B
>>>
>>> On Tue, May 4, 2010 at 3:40 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...3418......>
>>> wrote:
>>>>
>>>> Hello.  I am experimenting with snort v2.8.6 and hope to benefit from
>>>> its gzip decoding capabilities.  However, I have been unsuccessful so
>>>> far in getting it to work.  I am fetching a javascript file from
>>>> google and clearly it is encoding it using gzip.  This rule alerts me:
>>>>
>>>> alert tcp any any -> any any (msg:"gzip encoding detected from
>>>> server"; flow:established,from_server; content:"|0d
>>>> 0a|Content-Encoding: gzip|0d 0a|"; nocase; classtype:attempted-user;
>>>> sid:3141591; rev:1;)
>>>>
>>>> BUT this rule does not alert when it is clearly in the gzip decoded data:
>>>>
>>>> alert tcp any any -> any any (msg:"detected on gzip decoded data from
>>>> Google"; flow:established,from_server; content:"google.isOpera=false";
>>>> nocase; classtype:attempted-user; sid:3141592; rev:1;)
>>>>
>>>> I am using the defaults for the gzip portion of the http_inspect
>>>> preprocessor and the content trying to be matched
>>>> (google.isOpera=false) is in the first few hundred bytes of the data.
>>>> Here is my snort.conf http_inspect details:
>>>>
>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>> preprocessor http_inspect_server: server default \
>>>>   apache_whitespace no \
>>>>   ascii no \
>>>>        bare_byte no \
>>>>        chunk_length 500000 \
>>>>   server_flow_depth 0 \
>>>>   client_flow_depth 0 \
>>>>   post_depth 65495 \
>>>>        directory no \
>>>>        double_decode no \
>>>>        iis_backslash no \
>>>>        iis_delimiter no \
>>>>        iis_unicode no \
>>>>        multi_slash no \
>>>>        non_strict \
>>>>        oversize_dir_length 500 \
>>>>        ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180
>>>> 8888 9999 } \
>>>>        u_encode yes \
>>>>        non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>>        webroot no \
>>>>        extended_response_inspection \
>>>>        inspect_gzip
>>>>
>>>> I configured snort with --enable-zlib before I compiled and I get this
>>>> on snort startup:
>>>>
>>>> Using ZLIB version: 1.2.3.3
>>>>
>>>> What am I doing wrong here?  Thanks for any help.
>>>>
>>>> Cheers,
>>>>
>>>> -L0rd Ch0de1m0rt
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>
>
> --
> Matthew Watchinski
> Sr. Director Vulnerability Research Team (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>




More information about the Snort-sigs mailing list