[Snort-users] [Emerging-Sigs] http preprocessor issue (help!)

Joel Esler jesler at ...1935...
Sun Feb 10 11:01:42 EST 2013


CC'ing Snort-users list, as that list is more appropriate for engine
issues.  Do you have any thresholds in place?

I ran it against my Snort install with the stock VRT snort.conf and I got:

##### fixed_http_traffic_test.pcap #####
[1:1000010:1] NIRT_GET_TEST (alerts: 41)
[129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
(dropped)
[120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
RESPONSE (alerts: 1) (dropped)

http://www.snort.org/vrt/snort-conf-configurations/

--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




On Fri, Feb 8, 2013 at 1:49 PM, Dmitri <shadow000 at ...11827...> wrote:

> Anybody had any weird issues with http preprocessor in snort or sourcefire?
>
> Been breaking my head on this for the past couple of weeks. At this point
> I am just testing these two:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_POST_TEST";
> content:"POST"; http_method; nocase; classtype:web-application-attack;
> rev:1; sid:1000009; )
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_GET_TEST";
> content:"GET"; http_method; nocase; classtype:web-application-attack;
> rev:1; sid:1000010; )
>
> here's what I am getting:
> root at ...15343...:/etc/snort# snort -c ./snort.conf -A console -q -r
> /root/http_traffic_test.pcap
> 02/06-23:28:13.697928  [**] [1:1000010:1] NIRT_GET_TEST [**]
> [Classification: Web Application Attack] [Priority: 1] {TCP}
> 192.168.107.132:49750 -> 213.186.33.2:80
> root at ...15343...:/etc/snort#
>
> As we can see fires just once, however there are tons of GET requests in
> the pcap.(pcap and snort.conf are attached)
>
> Any ideas or suggestions?
>
>
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4 GRE (Build 40)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 8.32 2012-11-30
>            Using ZLIB version: 1.2.3.3
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...15591...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130210/1d8cbb36/attachment.html>


More information about the Snort-users mailing list