[Snort-users] rules are not matched across the packet

rmkml rmkml at ...1855...
Tue Jun 7 14:56:07 EDT 2011


Hi Mahendra,
Please try with last snort v2.9.0.5?
With your rules and your pcap: snortv2905 fire for all rules.
Regards
Rmkml


On Thu, 2 Jun 2011, mahendra kumawat wrote:

> Hi ,
> 
> I came across an issue today where snort doesn't appear to match content
> across packets and since the feature is very basic to the IDS, I wanted to
> raise a red flag and seek your help.
> 
> The issue is as follows:
> 
> 1.  Vulnerability
> http://www.securityfocus.com/bid/47826
> 
> 2. Exploit
> http://downloads.securityfocus.com/vulnerabilities/exploits/47826.txt
> 
> 
> There is two exploit ,let`s take only first in this case.  It's a form based
> cross site scripting attempt using HTTP POST. I wrote signature for this:
> 
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: " Argyle Social
> Cross Site Scripting attempt"; flow:established, to_server;
> content:"stream_filter_rule"; http_client_body; reference:bugtraq,47826;
> classtype:web-application-attack; sid:50000027; rev:1;)
> 
> I attached a pcap for testing "47826f.pcap". Please look at packet no. 4 and 5
> across which the exploit content is split. when i was running snort on this
> pcap ,no alert was genrated.
> 
> 
> But when i removed "http_client_body" keyword in rule then i got a alert. So i
> think when i  use "http_client_body" there is some problem with across packet
> matching.
> 
> I also tried after change "content:"script"; , but when i
> used "http_client_body" keyword after content ,i did not get any alert. When
> i removed "http_client_body" ,then i got alert. It is showing also same
> problem.
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg: "NIKSUN-WEB-CLIENT Cross Site Scripting attempt"; flow:established,
> to_server; content:"script"; http_client_body; r
> eference:bugtraq,47826; classtype:web-application-attack; sid:50000027;
> rev:1;)
> 
> 
> I have below configuration in snort.conf for http_inspect.
> 
> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
> 
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
> 
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0
> post_depth 65495
> 
> Snort version:
> 
> 
>  -*> Snort! <*-
>   o"  )~   Version 2.8.6.1 (Build 39)
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using PCRE version: 7.4 2007-09-21
> 
> 
> So please advise me what is wrong with my snort ? why this is happening?
> how can i resolve this problem ?
> 
> Please communicate with me on same id (mahendrau.27 at ...11827... )
> 
> Thanks
> Mahendra
> 
> 
>


More information about the Snort-users mailing list