[Snort-users] Content rule matches on PCAP but does not match when snort listens

George Yunaev gyunaev at ...14734...
Wed Jan 13 15:17:54 EST 2010


Hi Matt,

Thank you for suggestion. I just tried it, but unfortunately adding -k none 
and removing flow_depth 0 (but keeping server_flow_depth 0) did not change the 
described behavior in any way. As before, wget 
kchmviewer.net/snort/testfile.ok detects the file when it goes through the 
gateway, and wget kchmviewer.net/snort/testfile.bad does not.

> Shot in the dark:  Try running your snort live with -k none.  This shuts
>  off the checking for checksum errors and clears up a lot of magic.  Also
>  remove flow_depth from your config, it is the same as server_flow_depth.
>  flow_depth is being deprecated.
> 
> Give these a shot and let us know how it goes.
> 
> Matt
> 
> On Wed, Jan 13, 2010 at 4:14 AM, George Yunaev <gyunaev at ...14734...>wrote:
> > Hi all,
> >
> > I'm exploring Snort content filtering capabilities for HTML exploit
> > detection.
> > I know it is not a full-blown solution (and I found and read this post:
> > http://seclists.org/snort/2006/q1/18), but so far I cannot even
> > understand why
> > my simple example does not work.
> >
> > I am using Snort version 2.8.5.2 (Build 121) which I compiled myself from
> > sources on openSuse 11.2. Non-inline mode.
> >
> > I have created the following Snort configuration which includes a rule:
> >
> > dynamicpreprocessor directory
> > /usr/local/snort/lib/snort_dynamicpreprocessor/
> > preprocessor frag3_global: max_frags 65536
> > preprocessor frag3_engine: policy first detect_anomalies overlap_limit 10
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> >                              track_udp no
> > preprocessor stream5_tcp: policy linux, ports both all, \
> >                      max_queued_bytes 0, max_queued_segs 0
> >
> > preprocessor http_inspect: global iis_unicode_map ./unicode.map 1252
> > preprocessor http_inspect_server: server default profile all \
> >      ports { 80 8080 8180 } oversize_dir_length 500 server_flow_depth 0 \
> >     client_flow_depth 0 flow_depth 0
> >
> > alert tcp any any -> any any (msg: "exploit"; flow:established; content:
> > "CreateStore"; sid: 1000000; )
> >
> > To test this rule, I started Snort using the following command line:
> >
> > snort -A console -d -i eth1 -c snort.conf -l logs/
> >
> > It starts fine, and when I try to download the test file "testfile.ok"
> > via HTTP from Apache using wget, Snort correctly detects the text string,
> > and generates an alert.
> >
> > Now the problems:
> >
> > 1. If I copy the file into "testfile.bad" add a few lines to it (keeping
> > the
> > original content intact), and try to download this file same way as
> > above, Snort does not detect the text string.
> >
> > 2. If I shut down Snort, record the file packets via "tcpdump -ni eth1
> > -s0 -w
> > test.pcap", download testfile.bad, shut down tcpdump and then replay the
> > recorded packets via snort -A console -d -c snort.conf -l logs/ -r
> > /tmp/filename.pcap, it detects the string just fine!
> >
> > This behavior looks like magic to me, however since Snort matches the
> > same content with recorded PCAP, I believe the problem lies in PCAP
> > configuration,
> > and not in content or Snort detection. Could someone please point me out
> > to some options in the documentation I might miss?
> >
> > I uploaded both text files as well as PCAP capture to
> > http://kchmviewer.net/snort/ - please let me know if any futher
> > information is
> > needed.
> >
> > --
> > With best regards, George.
> > http://www.kchmviewer.net - the first CHM files viewer for Qt/KDE.
> >
> >
> > -------------------------------------------------------------------------
> >----- This SF.Net email is sponsored by the Verizon Developer Community
> > Take advantage of Verizon's best-in-class app development support A
> > streamlined, 14 day to market process makes app distribution fast and
> > easy
> > Join now and get one step closer to millions of Verizon customers
> > http://p.sf.net/sfu/verizon-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
-- 
With best regards, George.
http://www.kchmviewer.net - the first CHM files viewer for Qt/KDE.




More information about the Snort-users mailing list