Home page logo

snort logo Snort mailing list archives

Re: Snort Now Available
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 8 Nov 2010 11:54:37 -0500

Can you send us a pcap?

On Mon, Nov 8, 2010 at 11:45 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com>wrote:


I am still experiencing HTTP stream reassembly issues when trying to
match across multiple fragmented packets with snort

Specifically, this happens on a HTTP POST where the headers are in a
different packet than the POST data. Consider the following rule you
can use along with scapy to reproduce if you want:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Incoming German POST
to Batman"; flow:established,to_server; content:"POST"; http_method;
uricontent:"/batcave/"; uricontent:"unicorns4sourcefire"; content:"|0d
0a|Accept-Language: de"; nocase; http_header; content:!"|0d 0a 0d
0a|not4batman=true&"; content:!"\; batsecret=sesstoken4robin";
http_cookie; classtype:trojan-activity; sid:8008135; rev:17;)

It alerts (b/c all the URI and HTTP header stuffs match in the initial
packet) but it shouldn't alert b/c the HTTP POST data starts with
'not4batman=true&' (but the POST data is in a subsequent packet than
the one containing the headers).

Anyone else still having issues or have done more in-depth testing
with and the HTTP pre-processor?

-L0rd C.

On Tue, Nov 2, 2010 at 5:34 PM, Steven Sturges
<steve.sturges () sourcefire com> wrote:
There was an issue in that HTTP inspect wasn't correctly handling
raw vs. stream reassembled packets when looking at HTTP response
data.  This fix is included in 2901 -- refer to ChangeLog (changes
to hi_client.c/hi_server.c).

As to the support of 2.8.6, with the release of 2.9.0, 2.8.6.x
is no longer supported.  When there is a new "3 digit" release no
further patches are made to the previous version of Snort.

On 11/1/2010 1:05 PM, L0rd Ch0de1m0rt wrote:
Hello. Does this release fix the issue where the HTTP pre-processor
wasn't properly examining reassembled data across fragmented packets?
(I don't know the exact cause of the bug - maybe it was the other way
around and Stream5 wasn't properly doing the reassebly.)  It was
announced that there would be a patch for that issue, just want to see
if this is it.  If so, when can we expect the patch be
released? is still supported, right?


-L0rd C.

On Mon, Nov 1, 2010 at 11:45 AM, Snort Releases <
snortreleases () snort org> wrote:
Snort is now available on snort.org, at

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort addresses the following:

 * Fixed maximum flowbits configuration parsing to specify the number
   of bits in accordance with the Snort manual, rather than number of
   bytes.  If you have 'config flowbits_size' in your snort.conf,
   double check that it has the correct setting.

 * Fixed a packet size issue with the IPQ and NFQ DAQs.

 * Fixed issue with Stream5 overlap limit processing.

 * Updated the version of LibPCRE bundled with the Windows installer.
   This update fixes a bug that caused some PCRE matches to fail
   on Windows.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to
snort-beta () sourcefire com 

Happy Snorting!
The Snort Release Team

Nokia and AT&T present the 2010 Calling All Innovators-North America
Create new apps & games for the Nokia N8 for consumers in  U.S. and
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi
Snort-devel mailing list
Snort-devel () lists sourceforge net

The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
Snort-devel mailing list
Snort-devel () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]