mailing list archives
Re: Snort 184.108.40.206 Now Available
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Mon, 8 Nov 2010 11:11:48 -0600
Hello. Unfortunately I cannot provide pcap but I hoped to provide
enough info so that it could be reproduced.
Eoin: I saw your email and read your blog post when it came out ... I
was just hoping that snort version 220.127.116.11 fixed the issues with the
HTTP pre-processor and reassembly since Steve Sturges indicated it did
but maybe he is referring to other fixes???
On Mon, Nov 8, 2010 at 10:54 AM, Russ Combs <rcombs () sourcefire com> wrote:
Can you send us a pcap?
On Mon, Nov 8, 2010 at 11:45 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
I am still experiencing HTTP stream reassembly issues when trying to
match across multiple fragmented packets with snort 18.104.22.168.
Specifically, this happens on a HTTP POST where the headers are in a
different packet than the POST data. Consider the following rule you
can use along with scapy to reproduce if you want:
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Incoming German POST
to Batman"; flow:established,to_server; content:"POST"; http_method;
uricontent:"/batcave/"; uricontent:"unicorns4sourcefire"; content:"|0d
0a|Accept-Language: de"; nocase; http_header; content:!"|0d 0a 0d
0a|not4batman=true&"; content:!"\; batsecret=sesstoken4robin";
http_cookie; classtype:trojan-activity; sid:8008135; rev:17;)
It alerts (b/c all the URI and HTTP header stuffs match in the initial
packet) but it shouldn't alert b/c the HTTP POST data starts with
'not4batman=true&' (but the POST data is in a subsequent packet than
the one containing the headers).
Anyone else still having issues or have done more in-depth testing
with 22.214.171.124 and the HTTP pre-processor?
On Tue, Nov 2, 2010 at 5:34 PM, Steven Sturges
<steve.sturges () sourcefire com> wrote:
There was an issue in that HTTP inspect wasn't correctly handling
raw vs. stream reassembled packets when looking at HTTP response
data. This fix is included in 2901 -- refer to ChangeLog (changes
As to the support of 2.8.6, with the release of 2.9.0, 2.8.6.x
is no longer supported. When there is a new "3 digit" release no
further patches are made to the previous version of Snort.
On 11/1/2010 1:05 PM, L0rd Ch0de1m0rt wrote:
Hello. Does this release fix the issue where the HTTP pre-processor
wasn't properly examining reassembled data across fragmented packets?
(I don't know the exact cause of the bug - maybe it was the other way
around and Stream5 wasn't properly doing the reassebly.) It was
announced that there would be a patch for that issue, just want to see
if this is it. If so, when can we expect the 126.96.36.199 patch be
released? 188.8.131.52 is still supported, right?
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
Snort-devel mailing list
Snort-devel () lists sourceforge net