[Snort-users] Content rule matches on PCAP but does not match when snort listens

George Yunaev gyunaev at ...14734...
Wed Jan 13 18:21:52 EST 2010


Hi all,

More follow-up: as suggested by Rmkml, I ran simultaneously tcpdump and snort 
-v during file download, and uploaded the dumps.

Dump for testfile2.bad: http://pastebin.ca/1750272
Dump for testfile2.ok: http://pastebin.ca/1750276

As you can see, for some reason Snort ignores the HTTP response for bad file, 
but dumps it on ok file. Snort sees the packet, but its content is not dumped. 
Tcpdump, however, dumps both packets. What may be the reason for that?

> Hi Matt,
> 
> Thank you for suggestion. I just tried it, but unfortunately adding -k none
> and removing flow_depth 0 (but keeping server_flow_depth 0) did not change
>  the described behavior in any way. As before, wget
> kchmviewer.net/snort/testfile.ok detects the file when it goes through the
> gateway, and wget kchmviewer.net/snort/testfile.bad does not.
> 
> > Shot in the dark:  Try running your snort live with -k none.  This shuts
> >  off the checking for checksum errors and clears up a lot of magic.  Also
> >  remove flow_depth from your config, it is the same as server_flow_depth.
> >  flow_depth is being deprecated.
> >
> > Give these a shot and let us know how it goes.
> >
> > Matt
> >
> > On Wed, Jan 13, 2010 at 4:14 AM, George Yunaev 
<gyunaev at ...14734...>wrote:
> > > Hi all,
> > >
> > > I'm exploring Snort content filtering capabilities for HTML exploit
> > > detection.
> > > I know it is not a full-blown solution (and I found and read this post:
> > > http://seclists.org/snort/2006/q1/18), but so far I cannot even
> > > understand why
> > > my simple example does not work.
> > >
> > > I am using Snort version 2.8.5.2 (Build 121) which I compiled myself
> > > from sources on openSuse 11.2. Non-inline mode.
> > >
> > > I have created the following Snort configuration which includes a rule:
> > >
> > > dynamicpreprocessor directory
> > > /usr/local/snort/lib/snort_dynamicpreprocessor/
> > > preprocessor frag3_global: max_frags 65536
> > > preprocessor frag3_engine: policy first detect_anomalies overlap_limit
> > > 10 preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > >                              track_udp no
> > > preprocessor stream5_tcp: policy linux, ports both all, \
> > >                      max_queued_bytes 0, max_queued_segs 0
> > >
> > > preprocessor http_inspect: global iis_unicode_map ./unicode.map 1252
> > > preprocessor http_inspect_server: server default profile all \
> > >      ports { 80 8080 8180 } oversize_dir_length 500 server_flow_depth 0
> > > \ client_flow_depth 0 flow_depth 0
> > >
> > > alert tcp any any -> any any (msg: "exploit"; flow:established;
> > > content: "CreateStore"; sid: 1000000; )
> > >
> > > To test this rule, I started Snort using the following command line:
> > >
> > > snort -A console -d -i eth1 -c snort.conf -l logs/
> > >
> > > It starts fine, and when I try to download the test file "testfile.ok"
> > > via HTTP from Apache using wget, Snort correctly detects the text
> > > string, and generates an alert.
> > >
> > > Now the problems:
> > >
> > > 1. If I copy the file into "testfile.bad" add a few lines to it
> > > (keeping the
> > > original content intact), and try to download this file same way as
> > > above, Snort does not detect the text string.
> > >
> > > 2. If I shut down Snort, record the file packets via "tcpdump -ni eth1
> > > -s0 -w
> > > test.pcap", download testfile.bad, shut down tcpdump and then replay
> > > the recorded packets via snort -A console -d -c snort.conf -l logs/ -r
> > > /tmp/filename.pcap, it detects the string just fine!
> > >
> > > This behavior looks like magic to me, however since Snort matches the
> > > same content with recorded PCAP, I believe the problem lies in PCAP
> > > configuration,
> > > and not in content or Snort detection. Could someone please point me
> > > out to some options in the documentation I might miss?
> > >
> > > I uploaded both text files as well as PCAP capture to
> > > http://kchmviewer.net/snort/ - please let me know if any futher
> > > information is
> > > needed.
> > >
> > > --
> > > With best regards, George.
> > > http://www.kchmviewer.net - the first CHM files viewer for Qt/KDE.
> > >
> > >
> > > -----------------------------------------------------------------------
> > >-- ----- This SF.Net email is sponsored by the Verizon Developer
> > > Community Take advantage of Verizon's best-in-class app development
> > > support A streamlined, 14 day to market process makes app distribution
> > > fast and easy
> > > Join now and get one step closer to millions of Verizon customers
> > > http://p.sf.net/sfu/verizon-dev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
-- 
With best regards, George.
http://www.kchmviewer.net - the first CHM files viewer for Qt/KDE.




More information about the Snort-users mailing list