[Snort-users] Have difference sig detection in Snort 2.9.1.2 and above 2.9.3.

Kiryukhin Andrey andrei_1980 at ...1975...
Mon Dec 24 10:09:32 EST 2012


 hi  

I have a problem with signature in different snort version. I had  test with snort 2.9.1.2 , 2.9.3.1 and 2.9.4  with default configs and my sig, wich i placed in local.rules.

My sig is

alert tcp any any -> any any (msg:"NEW ALERT ALERT"; content:"| 31 c9 b1 56 bf 41 7f 3a a6 db c6 d9 74 24 f4 5d 83 c5 04 31 7d 0b 03 7d 4a 9d cf 5a a4 e8 30 a3 34 8b b9 46 05 99 de 03 37 2d 94 46 bb c6 f8 72 48 aa d4 75 f9 01 03 bb fa a7 8b 17 38 a9 77 6a 6c 09 49 a5 61 48 8e d8 89 18 47 96 3b 8d ec ea 87 ac 22 61 b7 d6 47 b6 43 6d 49 e7 fb fa 01 1f 70 a4 b1 1e 55 b6 8e 69 d2 0d 64 68 32 5c 85 5a 7a 33 b8 52 77 4d fc 55 67 38 f6 a5 1a 3b cd d4 c0 ce d0 7f 83 69 31 81 40 ef b2 8d 2d 7b 9c 91 b0 a8 96 ae 39 4f 79 27 79 74 5d 63 da 15 c4 c9 8d 2a 16 b5 72 8f 5c 54 67 a9 3e 31 44 84 c0 c1 c2 9f b3 f3 4d 34 5c b8 06 92 9b bf 3d 62 33 3e bd 93 1d 85 e9 c3 35 2c 91 8f c5 d1 44 1f 96 7d 36 e0 46 3e e6 88 8c b1 d9 a9 ae 1b 6c ee 60 7f 3d 99 80 7f d0 05 0c 99 b8 a5 58 31 54 04 bf 8a c3 77 95 a6 5c e0 a1 a0 5a 0f 32 e7 c9 bc 9a 60 99 ae 1e 90 9e fa 36 db a7 6d cc b5 6a 0f d1 9f 1c ac 40 44 dc bb 78 d3 8b ec 4f 2a 59 01 e9 84 7f d8 6f ee 3b 07 4c f1 c2 ca e8 d5 d4 12 f0 51 80 ca a7 0f 7e ad 11 fe 28 67 cd a8 bc fe 3d 6b ba fe 6b 1d 22 4e c2 58 5d 7f 82 6c 26 9d 32 92 fd 25 42 d9 5f 0f cb 84 0a 0d 96 36 e1 52 af b4 03 2b 54 a4 66 2e 10 62 9b 42 09 07 9b f1 2a 02  |"; sid:100180;)


I have file, that contain 100 clones of one session with this shellcode ( file shellcode1_MTU500_100sig_500bdata.pcap (140 KB)   https://docs.google.com/open?id=0BxywWtOpM6xmMFBzU0R6NTB6ckE )


I run snort as:
snort  -A console -N -q -c /etc/snort/etc/snort.conf -r shellcode1_MTU500_100sig_500bdata.pcap

than  count alerts in output.

and i have:

snort 2.9.1.2   -    100 alerts
2.9.3.1     -  59    alerts
2.9.4         -  59    alerts

PS.
In such test with MTU1500 , and 5 Mb data in one session and shellcode in it , i give
snort 2.9.1.2   -    100
2.9.3.1     -  75   
2.9.4         -  75   
(this file is too big and i does not attach it)

PS. PS.  I’m also try replay this dump on the network, but had same results.

Please, tell  me , why it happens?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121224/236c388f/attachment.html>


More information about the Snort-users mailing list