[Snort-users] Content not being detected

Matt Olney molney at ...1935...
Tue Feb 10 08:52:38 EST 2009


Well there are a couple of things to consider.

First, you most likely don't have to worry about stream reassembly.  I
would anticipate a single pcap to handle the post and the uri.

Second, without a pcap to work with, I would say you first need to
find out which part of your rule is not firing.  When troubleshooting
rules, and I really get hung up, I usually do something like this:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ALERT -
POST - Execution of asp"; flow:to_server,established;
uricontent:"/ab/dir1/"; nocase; uricontent:".asp"; nocase; content:
"POST"; depth: 4; nocase; classtype:web-application-activity;
sid:1000004; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ALERT -
POST - Execution of asp - no POST"; flow:to_server,established;
uricontent:"/ab/dir1/"; nocase; uricontent:".asp"; nocase;
classtype:web-application-activity; sid:1000005; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ALERT -
POST - Execution of asp - no POST, no asp";
flow:to_server,established; uricontent:"/ab/dir1/"; nocase;
classtype:web-application-activity; sid:1000006; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ALERT -
POST - Execution of asp - no flow, no POST, no asp";
uricontent:"/ab/dir1/"; nocase; classtype:web-application-activity;
sid:1000007; rev:2;)

alert tcp any any -> any any (msg:"ALERT - POST - Execution of asp -
any any no POST, no asp"; flow:to_server,established;
content:"/ab/dir1/"; nocase; classtype:web-application-activity;
sid:1000008; rev:2;)

This set of rules should at least point towards what the issue is.
Run these, and look at what alerts.  That should tell you where the
problem is, and we can move on.  Also, know that there is an update to
2.8.3.1, although nothing in there should address this issue, it is
important to stay current.

Let me know how that works,

Matt

On Mon, Feb 9, 2009 at 10:39 PM, Matt Olney <molney at ...1935...> wrote:
> I'm not at work, but try changing the POST/depth combo to:
>
> content:"POST"; http_method; nocase;
>
> Matt
>
> On Mon, Feb 9, 2009 at 9:55 PM, Jimmy Tharel <jtharel at ...131...> wrote:
>> I recently upgraded from Snort 2.6 to 2.8.3.1 and the following rule has
>> quit working.
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ALERT - POST -
>> Execution of asp"; flow:to_server,established; uricontent:"/ab/dir1/";
>> nocase; uricontent:".asp"; nocase; content: "POST"; depth: 4; nocase;
>> classtype:web-application-activity; sid:1000004; rev:2;)
>>
>> It worked just fine in 2.6 but for whatever reason does not work in 2.8.3.1.
>>
>> My http_inspect section of my snort.conf is the same in both versions:
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> Could it be the difference between the Stream4 and Stream5 preprocessor?
>> My Stream5 is configured with the defaults and the setup is:
>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>> track_udp no
>> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
>>
>> I've read over the Stream5 README but I don't see anything that would be
>> causing that rule not to work. I've played with the max_tcp and memcap
>> settings but to no avail. Can anybody help me?
>>
>> Thanks!
>>
>> ------------------------------------------------------------------------------
>> Create and Deploy Rich Internet Apps outside the browser with
>> Adobe(R)AIR(TM)
>> software. With Adobe AIR, Ajax developers can use existing skills and code
>> to
>> build responsive, highly engaging applications that combine the power of
>> local
>> resources and data with the reach of the web. Download the Adobe AIR SDK and
>> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>




More information about the Snort-users mailing list