[Snort-users] Rule works in replay file mode, but not when sniffing

Russ Combs rcombs at ...1935...
Fri Jul 12 11:12:05 EDT 2013


I think you have something else going on.  Can you send a full session
capture?

The capture you have is alerting in readback at shutdown.  To confirm,
--dirty-pig to your command line and you won't get the alert.

The reason is Content-Length: 9156548 but you only have 4101 bytes in the
capture.  Snort is trying to reassemble more data which never shows up.
You can get the alert to fire even with --dirty-pig if you change paf_max
to something like 3072.

If you want it fire in replay you need at least paf_max worth of the
response body.

On Fri, Jul 12, 2013 at 10:10 AM, Joel Esler <jesler at ...1935...> wrote:

> What happens when you do a:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”Test file
> download”; content:”filename=“; fast_pattern:only; http_header;)
>
>
> On Jul 12, 2013, at 9:05 AM, Pavel Rantorski <fhjull01 at ...15979...> wrote:
>
> Hello,
> I'm testing a rule that should (eventually) detect download/upload of
> specific file types from public HTTP servers. I could not get the rule to
> trigger, so I simplified it to:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test file
> download"; content:"Content-Disposition|3a|"; nocase; http_header;
> pcre:"/filename=/simH"; classtype:policy-violation; sid:1000004; rev:7;)
>
> (the rule is nowhere near complete, it is simplified to be less prone to
> mistakes)
>
> Unfortunatelly, the rule still does not work. I captured the traffic (on
> the same machine/interface that Snort was running) and verified that such
> packet is indeed there. When I let Snort analyze the traffic from this pcap
> file ('snort -A console -c /etc/snort/snort.conf -r /tmp/testdata5.pcap -l
> . -u snort'), the rule is fired on console correctly.
>
> The rule is (in standard, sniffing mode) sometimes triggered as well
> (although never from this particular server I am testing).
>
> What could be the cause of this? Snort is running in IDS mode (not inline)
> and is not dropping packets. LRO and GRO are disabled on network adapter. I
> have tried running Snort with '-k none' without any results.
>
> I have attached small pcap sample of the traffic I'm trying to catch -
> this is enough to trigger the rule in replay mode, but didn't trigger when
> sniffing.
>
> Thank you,
> Pavel
> <testdata5.pcap>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130712/d8b412ff/attachment.html>


More information about the Snort-users mailing list