[Snort-users] problem with http_inspect_server interactions with rules

Joe Patterson jpatterson at ...12705...
Tue Nov 23 13:57:02 EST 2004


I've seen something that I *think* is an error, and is certainly undesired
behavior, with an interaction between http_inspect_server parameters and
some rules (I haven't tested many rules, I want to get this one working so
that I know what the core problem is).  I've tested this on snort 2.2.0
build 30 and 2.3.0RC1 Build 8, I'm using a linux 2.6.5 kernel running
gentoo.

I've got a pcap file
(http://www.asgardgroup.com/~jpatterson/snort/mydata.pcap) with two http GET
requests in it, and the responses to them (note that this is a completely
contrived example. I contrived it for the purpose of triggering two rules
for some unrelated event correllation work, and was surprised when snort
didn't give me the output I was expecting). I've also got a snort config
file (http://www.asgardgroup.com/~jpatterson/snort/mysnort.conf) containing
exactly two alert rules, and the variables and preprocessors necessary to
their correct operation.

The specific rules (from the current rulebase) are:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Cisco IOS HTTP configuration attempt"; flow:to_server,established;
uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936;
reference:cve,2001-0537; classtype:web-application-attack; sid:1250;
rev:11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES
directory listing"; flow:from_server,established; content:"Volume Serial
Number"; classtype:bad-unknown; sid:1292; rev:8;)

If I run the following command:

snort -c ./mysnort.conf -l . -r ./mydata.pcap -A full -k none

I get an alert output that contains only the two "WEB-MISC Cisco IOS HTTP
configuration attempt" entries.

Now, if I comment out the configuration line:

preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500

then I get a very different looking alert file that contains only the
"ATTACK-RESPONSES directory listing" alert.

I can't figure out for the life of me why that configuration option would
either enable the HTTP configuration attempt alert, nor why its absence
would disable same. Nor can I figure out why its absence would disable the
attack response rule, and its presence would disable that rule.

Anyone have any thoughts as to why this sort of thing might happen?

Thanks,

-Joe Patterson, CCNP, CISSP
Senior Security Engineer
SteelCloud, Inc.
(954)318-3200x105
jpatterson at ...12705...







More information about the Snort-users mailing list