[Snort-users] Content rule matches on PCAP but does not match when snort listens

George Yunaev gyunaev at ...14734...
Wed Jan 13 04:14:19 EST 2010

Hi all,

I'm exploring Snort content filtering capabilities for HTML exploit detection. 
I know it is not a full-blown solution (and I found and read this post: 
http://seclists.org/snort/2006/q1/18), but so far I cannot even understand why 
my simple example does not work.

I am using Snort version (Build 121) which I compiled myself from 
sources on openSuse 11.2. Non-inline mode.

I have created the following Snort configuration which includes a rule:

dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies overlap_limit 10
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                              track_udp no
preprocessor stream5_tcp: policy linux, ports both all, \
                      max_queued_bytes 0, max_queued_segs 0

preprocessor http_inspect: global iis_unicode_map ./unicode.map 1252
preprocessor http_inspect_server: server default profile all \
      ports { 80 8080 8180 } oversize_dir_length 500 server_flow_depth 0 \
     client_flow_depth 0 flow_depth 0

alert tcp any any -> any any (msg: "exploit"; flow:established; content: 
"CreateStore"; sid: 1000000; )

To test this rule, I started Snort using the following command line:

snort -A console -d -i eth1 -c snort.conf -l logs/

It starts fine, and when I try to download the test file "testfile.ok" via 
HTTP from Apache using wget, Snort correctly detects the text string, and 
generates an alert.

Now the problems:

1. If I copy the file into "testfile.bad" add a few lines to it (keeping the 
original content intact), and try to download this file same way as above, 
Snort does not detect the text string.

2. If I shut down Snort, record the file packets via "tcpdump -ni eth1 -s0 -w 
test.pcap", download testfile.bad, shut down tcpdump and then replay the 
recorded packets via snort -A console -d -c snort.conf -l logs/ -r 
/tmp/filename.pcap, it detects the string just fine!

This behavior looks like magic to me, however since Snort matches the same 
content with recorded PCAP, I believe the problem lies in PCAP configuration, 
and not in content or Snort detection. Could someone please point me out to 
some options in the documentation I might miss?

I uploaded both text files as well as PCAP capture to 
http://kchmviewer.net/snort/ - please let me know if any futher information is 

With best regards, George.
http://www.kchmviewer.net - the first CHM files viewer for Qt/KDE.

More information about the Snort-users mailing list