[Snort-users] rules are not matched across the packet

Bhagya Bantwal bbantwal at ...1935...
Tue Jun 7 14:46:06 EDT 2011


What is your stream5 config?

Have you turned on reassembly on HTTP ports? Do you have the HTTP ports in
stream5 ports?

This should be fixed by adding ports 80, 8080 to ports client config of
stream5

-B

On Sat, Jun 4, 2011 at 5:19 AM, mahendra kumawat <mahendra.u27 at ...11827...>wrote:

>
> Hi ,
>
> I came across an issue today where snort doesn't appear to match content
> across packets and since the feature is very basic to the IDS, I wanted to
> raise a red flag and seek your help.
>
> The issue is as follows:
>
> 1.  Vulnerability
> http://www.securityfocus.com/bid/47826
>
> 2. Exploit
> http://downloads.securityfocus.com/vulnerabilities/exploits/47826.txt
>
>
> There is two exploit ,let`s take only first in this case.  It's a form
> based
> cross site scripting attempt using HTTP POST. I wrote signature for this:
>
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: " Argyle
> Social
> Cross Site Scripting attempt"; flow:established, to_server;
> content:"stream_filter_rule"; http_client_body; reference:bugtraq,47826;
> classtype:web-application-attack; sid:50000027; rev:1;)
>
> I attached a pcap for testing "47826f.pcap". Please look at packet no. 4
> and 5
> across which the exploit content is split. when i was running snort on this
>
> pcap ,no alert was genrated.
>
>
> But when i removed "http_client_body" keyword in rule then i got a alert.
> So i
> think when i  use "http_client_body" there is some problem with across
> packet
> matching.
>
> I also tried after change "content:"script"; , but when i
> used "http_client_body" keyword after content ,i did not get any alert.
> When
> i removed "http_client_body" ,then i got alert. It is showing also same
> problem.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg: "NIKSUN-WEB-CLIENT Cross Site Scripting attempt"; flow:established,
> to_server; content:"script"; http_client_body; r
> eference:bugtraq,47826; classtype:web-application-attack; sid:50000027;
> rev:1;)
>
>
> I have below configuration in snort.conf for http_inspect.
>
> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
>
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0
>
> post_depth 65495
>
> Snort version:
>
>
>  -*> Snort! <*-
>   o"  )~   Version 2.8.6.1 (Build 39)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using PCRE version: 7.4 2007-09-21
>
>
> So please advise me what is wrong with my snort ? why this is happening?
> how can i resolve this problem ?
>
> Please communicate with me on same id (mahendrau.27 at ...11827... )
>
>
>
> Thanks
> Mahendra
>
>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110607/59d36ffe/attachment.html>


More information about the Snort-users mailing list