[Snort-users] [Emerging-Sigs] http preprocessor issue (help!)

Joel Esler jesler at ...1935...
Sun Feb 10 11:03:50 EST 2013


BTW -- I know the pcap reads "fixed_http_traffic_test.pcap".  I have a
system that corrects checksums when I put a pcap in my test directory.
 Here is the same test ran with your pcap:

##### http_traffic_test.pcap #####
[1:1000010:1] NIRT_GET_TEST (alerts: 41)
[129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
(dropped)
[120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
RESPONSE (alerts: 1) (dropped)


On Sun, Feb 10, 2013 at 11:01 AM, Joel Esler <jesler at ...1935...> wrote:

> CC'ing Snort-users list, as that list is more appropriate for engine
> issues.  Do you have any thresholds in place?
>
> I ran it against my Snort install with the stock VRT snort.conf and I got:
>
> ##### fixed_http_traffic_test.pcap #####
> [1:1000010:1] NIRT_GET_TEST (alerts: 41)
> [129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
> (dropped)
>  [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
> RESPONSE (alerts: 1) (dropped)
>
> http://www.snort.org/vrt/snort-conf-configurations/
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
>
>
> On Fri, Feb 8, 2013 at 1:49 PM, Dmitri <shadow000 at ...11827...> wrote:
>
>> Anybody had any weird issues with http preprocessor in snort or
>> sourcefire?
>>
>> Been breaking my head on this for the past couple of weeks. At this point
>> I am just testing these two:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_POST_TEST";
>> content:"POST"; http_method; nocase; classtype:web-application-attack;
>> rev:1; sid:1000009; )
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_GET_TEST";
>> content:"GET"; http_method; nocase; classtype:web-application-attack;
>> rev:1; sid:1000010; )
>>
>> here's what I am getting:
>> root at ...15343...:/etc/snort# snort -c ./snort.conf -A console -q -r
>> /root/http_traffic_test.pcap
>> 02/06-23:28:13.697928  [**] [1:1000010:1] NIRT_GET_TEST [**]
>> [Classification: Web Application Attack] [Priority: 1] {TCP}
>> 192.168.107.132:49750 -> 213.186.33.2:80
>> root at ...15343...:/etc/snort#
>>
>> As we can see fires just once, however there are tons of GET requests in
>> the pcap.(pcap and snort.conf are attached)
>>
>> Any ideas or suggestions?
>>
>>
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.4 GRE (Build 40)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>            Using libpcap version 1.0.0
>>            Using PCRE version: 8.32 2012-11-30
>>            Using ZLIB version: 1.2.3.3
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...15591...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for all versions of
>> Suricata and Snort 2.4.0 through Current!
>>
>
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130210/cb911b49/attachment.html>


More information about the Snort-users mailing list