I am having some trouble with the http_inspect preprocessor using the
default settings from snort.conf. It it my opinion that this preprocessor is
possibly destoying valid traffic.
I am using Snort v2.3.3
(I have removed the comments and default variables for readability)
:::snort.conf:::
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080
8081 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor xlink2state: ports { 25 691 }
include classification.config
include reference.config
config flowbits_size: 256
alert tcp any any -> any any (msg:"traffic"; content:"highlight";)
:::end snort.conf:::
I set up a server with netcat using:
server# nc -l -p 8080
Then I connect to the server
client$ nc server 8080
Snort is able to see the 3-way handshake occur.
At this point I use the server to send the message "highlight" from the
server to the client.
Running snort with the -vde option I see the traffic go by as:
68 69 67 68 6C 69 67 68 74 0A highlight.
Using the simple rule listed in my snort.conf
alert tcp any any -> any any (msg:"traffic"; content:"highlight";)
I expect to get an alert based on this traffic. No packets were dropped, all
packets were processed, no alert is generated.
Commenting out the preprocessor http_inspect_server causes the alert to be
correctly generated.
Additionally, sending the "highlight" message from the client to the server
generates the alert correctly, the only problem is that sending it from the
server to the client doesn't.
I tested this same methodology with the string "cat" instead of "highlight"
and the problem does not occur.
alert tcp any any -> any any (msg:"cat alerts"; content:"cat";)
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
