[Snort-users] Problems trying to grep traffic in TCP streams

snort at ...3895... snort at ...3895...
Tue Oct 23 13:10:06 EDT 2001

Hello, folks.

I am having problems with getting snort produce alerts when some
traffic appears in a TCP stream.

What I want is having snort search for a pair of strings that may
occur at any time during TCP sessions.  I have two cases of interest,
with different strings each, that may happen via SMTP or via a
web-based e-mail provider.

Then I set the rules below but could not get the desired behaviour to
happen.  The first rule, for SMTP, worked fairly well with 1.8.1, but
failed to work if the two strings were too distant from one another.
The second rule never worked, even with variations to make string
matches exact, instead of case-insentive and with wildcard characters.
With the CVS version, even the test set for the first rule stopped
producing alarms.

Are my rules wrong for the behaviour I want?  Do you have any pointers?

I tried the same versions with the same rule set in a NetBSD-1.5.2
machine, and results were excatly the same.

System architecture: i386 (Pentium-III 700)

Operating system: Linux, kernel 2.0.36, libc5; NetBSD-1.5.2

    #snort config file to test ability to detect suspect content

    preprocessor frag2
    preprocessor stream4: timeout 60
    preprocessor stream4_reassemble: clientonly, ports 25 3128

    var SERVER_PORT 80

    alert tcp any any -> any any (  \
            flags: A+;                                                      \
            content: "something1";                                            \
            content: "otherstuff2";                                          \
            nocase;                                                         \

            msg: "something1+otherstuff2 detected";\


    alert tcp any any -> any any (  \
            flags: A+;                                                      \
            content: "POST /cgi-bin/webmail.exe";                           \
            content: "=abuse%40tmp.com.br";                                 \
            nocase;                                                         \

            msg: "Detected sending webmail to abuse at ...3895...";\

    #eof snort.conf

Command line used: "snort -z est", "snort -b -z est", "snort -z all", "snort -b -z all"

Below are te test commands, data and output from snort.

For the first rule:

    % telnet mailhost 25
    helo something1
    mail from: otherstuff2 at ...3895...
    rcpt to: pappires at ...3895...

Output with 1.8.1_RELEASE: /var/log/snort/alert
    [**] [1:0:0] something1+otherstuff2 detected [**]
    10/22-12:52:22.213856 ->
    TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:144
    ***AP*** Seq: 0x951B462A  Ack: 0xCB327D81  Win: 0x7FDF  TcpLen: 20

Output with CVS version (1.8.2beta0): /var/log/alert: Nothing!

For the second rule:

    % telnet squid 3128
    POST http://www.bol.com.br/cgi-bin/webmail.exe?q=abuse%40tmp.com.br HTTP/1.0
    Content-Length: 0

Output with 1.8.1_RELEASE: /var/log/snort/alert: Nothing!

Output with CVS version (1.8.2beta0): /var/log/snort/alert: Nothing!

        Paulo Alexandre Pinto Pires -- pappires at ...3895...
        TMP Consultoria em Informatica S/C -- http://www.tmp.com.br
        Phone: +55-21-2556-3791

More information about the Snort-users mailing list