[Snort-users] Problem with http_inspect and Basic Authentication rule
jesler at ...1935...
Mon Jul 4 10:37:02 EDT 2011
Try 2.9.1 beta.
Sent from my iPad
Please excuse the brevity
On Jul 4, 2011, at 6:31 AM, andreas <andi at ...15330...> wrote:
> Hi *,
> i use snort on a mirror port. I found an issue with http_inspect
> preprocessor and one rule for authentication.
> I start snort 126.96.36.199 using "--treat-drop-as-alert -u snort -g snort -A
> fast -N -I -i eth2 -P 0 -l /var/log/snort -c /etc/snort/snort.conf".
> I also tried several options with the "preprocessor http_inspect:". The
> rule i want to see in the log file is:
> "ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"
> with sid:2006380, which is in "emerging-policy.rules".
> I use two lynx calls to test this issue (188.8.131.52 is just an example IP):
> 1. lynx --auth=foo:bar http://184.108.40.206/trac/login
> 2. lynx http://220.127.116.11/trac/browser and then navigate to login and try
> to authenticate
> When http_inspect is activated, the alert only occurs with the fist
> call. If i put "disabled" to the preprocessor http_inspect the alert
> occurs on both calls. So the rule is fine and the packages are also
> fine, so i can point it down to the http_inspect. One idea is, that with
> http_inspect activated only the first HTTP Requests are handled and the
> HTTP alert for the authentication is ignored.
> I tried to play with all the http_inspect options but no change except
> for the disabled option.
> So any idea what i can do/try to get snort working with http_inspect and
> still reporting the alert for the authentication when the loginpage
> isn't called directly?
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please see http://www.snort.org/docs for documentation
More information about the Snort-users