[Snort-users] rules are not matched across the packet

mahendra kumawat mahendra.u27 at ...11827...
Thu Jun 2 08:08:54 EDT 2011


Hi ,

I came across an issue today where snort doesn't appear to match content
across packets and since the feature is very basic to the IDS, I wanted to
raise a red flag and seek your help.

The issue is as follows:

1.  Vulnerability
http://www.securityfocus.com/bid/47826

2. Exploit
http://downloads.securityfocus.com/vulnerabilities/exploits/47826.txt


There is two exploit ,let`s take only first in this case.  It's a form based

cross site scripting attempt using HTTP POST. I wrote signature for this:


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: " Argyle
Social
Cross Site Scripting attempt"; flow:established, to_server;
content:"stream_filter_rule"; http_client_body; reference:bugtraq,47826;
classtype:web-application-attack; sid:50000027; rev:1;)

I attached a pcap for testing "47826f.pcap". Please look at packet no. 4 and
5
across which the exploit content is split. when i was running snort on this
pcap ,no alert was genrated.


But when i removed "http_client_body" keyword in rule then i got a alert. So
i
think when i  use "http_client_body" there is some problem with across
packet
matching.

I also tried after change "content:"script"; , but when i
used "http_client_body" keyword after content ,i did not get any alert. When

i removed "http_client_body" ,then i got alert. It is showing also same
problem.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg: "NIKSUN-WEB-CLIENT Cross Site Scripting attempt"; flow:established,
to_server; content:"script"; http_client_body; r
eference:bugtraq,47826; classtype:web-application-attack; sid:50000027;
rev:1;)


I have below configuration in snort.conf for http_inspect.

# http_inspect: normalize and detect HTTP traffic and protocol anomalies

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0
post_depth 65495

Snort version:


 -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.4 2007-09-21


So please advise me what is wrong with my snort ? why this is happening?
how can i resolve this problem ?

Please communicate with me on same id (mahendrau.27 at ...11827... )



Thanks
Mahendra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110602/e81b4202/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 47826f.pcap
Type: application/octet-stream
Size: 1041939 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110602/e81b4202/attachment.obj>


More information about the Snort-users mailing list