[Snort-users] [Emerging-Sigs] http preprocessor issue (help!)

Joel Esler jesler at ...1935...
Sun Feb 10 11:08:30 EST 2013


Apologies for yet ANOTHER response to myself.  I ran two tests.  One test
ignores checksums, the other test doesn't.

When I ran my "ignore checksum" test against your pcap, I got 41 alerts,
when I ran your pcap through my pcap does doesn't ignore checksums, I got
one alert.

When I fixed the checksums in the pcap, I get all 41 alerts (so basically,
you need to run your test with "-k none" in your Snort command line, or you
need to fix the checksums in your pcap).  Also note in the results below
that I remove all "flowbits:noalert;" from all rules to see which rules are
setting flowbits, etc.

First set of alerts is your pcap, the second set is your pcap with
checksums corrected (you can see far more alerts across the board than just
your rule in fact)

Alerts (*http_traffic_test.pcap*)
1:20478:8  FILE-IDENTIFY PNG file magic detected
 Alerts: 8
1:20483:11 FILE-IDENTIFY JPEG file magic detected
Alerts: 3
1:17394:10 FILE-IDENTIFY GIF file download request
 Alerts: 9
1:17380:9  FILE-IDENTIFY PNG file download request
 Alerts: 14
1:20452:11 FILE-IDENTIFY GZip file magic detected
Alerts: 1
*1:1000010:1 NIRT_GET_TEST
   Alerts: 1*
1:16406:10 FILE-IDENTIFY JPEG file download request
Alerts: 3

Alerts (*fixed_http_traffic_test.pcap*)
*1:1000010:1 NIRT_GET_TEST
   Alerts: 41*
1:20483:11 FILE-IDENTIFY JPEG file magic detected
Alerts: 3
1:17394:10 FILE-IDENTIFY GIF file download request
 Alerts: 9
1:16406:10 FILE-IDENTIFY JPEG file download request
Alerts: 3
1:20452:11 FILE-IDENTIFY GZip file magic detected
Alerts: 1
1:20459:8 FILE-IDENTIFY GIF file magic detected
 Alerts: 9
1:20478:8 FILE-IDENTIFY PNG file magic detected
 Alerts: 14
1:17380:9 FILE-IDENTIFY PNG file download request
 Alerts: 14


Sorry for so many emails.


On Sun, Feb 10, 2013 at 11:03 AM, Joel Esler <jesler at ...1935...> wrote:

> BTW -- I know the pcap reads "fixed_http_traffic_test.pcap".  I have a
> system that corrects checksums when I put a pcap in my test directory.
>  Here is the same test ran with your pcap:
>
> ##### http_traffic_test.pcap #####
> [1:1000010:1] NIRT_GET_TEST (alerts: 41)
> [129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
> (dropped)
>  [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
> RESPONSE (alerts: 1) (dropped)
>
>
> On Sun, Feb 10, 2013 at 11:01 AM, Joel Esler <jesler at ...1935...>wrote:
>
>> CC'ing Snort-users list, as that list is more appropriate for engine
>> issues.  Do you have any thresholds in place?
>>
>> I ran it against my Snort install with the stock VRT snort.conf and I got:
>>
>> ##### fixed_http_traffic_test.pcap #####
>> [1:1000010:1] NIRT_GET_TEST (alerts: 41)
>> [129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
>> (dropped)
>>  [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
>> RESPONSE (alerts: 1) (dropped)
>>
>> http://www.snort.org/vrt/snort-conf-configurations/
>>
>> --
>> *Joel Esler*
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>>
>>
>>
>> On Fri, Feb 8, 2013 at 1:49 PM, Dmitri <shadow000 at ...11827...> wrote:
>>
>>> Anybody had any weird issues with http preprocessor in snort or
>>> sourcefire?
>>>
>>> Been breaking my head on this for the past couple of weeks. At this
>>> point I am just testing these two:
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_POST_TEST";
>>> content:"POST"; http_method; nocase; classtype:web-application-attack;
>>> rev:1; sid:1000009; )
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_GET_TEST";
>>> content:"GET"; http_method; nocase; classtype:web-application-attack;
>>> rev:1; sid:1000010; )
>>>
>>> here's what I am getting:
>>> root at ...15343...:/etc/snort# snort -c ./snort.conf -A console -q -r
>>> /root/http_traffic_test.pcap
>>> 02/06-23:28:13.697928  [**] [1:1000010:1] NIRT_GET_TEST [**]
>>> [Classification: Web Application Attack] [Priority: 1] {TCP}
>>> 192.168.107.132:49750 -> 213.186.33.2:80
>>> root at ...15343...:/etc/snort#
>>>
>>> As we can see fires just once, however there are tons of GET requests in
>>> the pcap.(pcap and snort.conf are attached)
>>>
>>> Any ideas or suggestions?
>>>
>>>
>>>
>>>    ,,_     -*> Snort! <*-
>>>   o"  )~   Version 2.9.4 GRE (Build 40)
>>>    ''''    By Martin Roesch & The Snort Team:
>>> http://www.snort.org/snort/snort-team
>>>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>>            Using libpcap version 1.0.0
>>>            Using PCRE version: 8.32 2012-11-30
>>>            Using ZLIB version: 1.2.3.3
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at ...15591...
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for all versions of
>>> Suricata and Snort 2.4.0 through Current!
>>>
>>
>>
>>
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>>
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130210/e17ec550/attachment.html>


More information about the Snort-users mailing list