Home page logo

snort logo Snort mailing list archives

Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files)
From: Sujit Ghosal <thesujit () gmail com>
Date: Mon, 13 Dec 2010 15:39:59 +0530

Hey Joel,
      I have figured out the issue. Its because of TCP reassembly of
packets. In the first steam of my payload snort was working flawlessly but
if I jump to the second place of tcp reassembled data then it was not
detecting. Well I knew that the problem can be solved using flowbits
keyword, but I wanted a solution where snort can detect those re-assembled
packets as well. Is it possible to command snort to handle tcp re-assembly
without the use of flowbits?


On Sun, Dec 5, 2010 at 10:52 PM, Joel Esler <jesler () sourcefire com> wrote:

Can you provide your Snort configuration, rule you are trying to write
and a full session pcap of the traffic you are attempting to detect?

On Sunday, December 5, 2010, Sujit Ghosal <thesujit () gmail com> wrote:
Hi All,    I had a similar type of issue some days back to detect any
server side/client side vulnerabilities as Snort was not detecting even for
a single GET or <html> pattern in any requests/responses respectively.
Anyways the problem is somehow solved. It just suddenly started working (may
be I think my firewall was blocking initially, I am not fully sure though).

    Now I came through a very bizzare problem. While I am writing a
client side signature (lets say some PDF vulnerability signatures). If the
PDF has less number of bytes (within 500-600 bytes and the whole PDF is of
600 bytes) and attack pattern comes within those 600 bytes then snort
detects that time with my developed rule. But If I generate a malformed PDF
File through MSF then the malformed objects are being moved to > 600 and the
pattern is present at last of the PDF file (around at 20000th offset). In
such cases snort is not detecting the attack. I checked the signature and
everything is perfect as I haven't given any such offset limitations inside
that rule.

    I gave a look in snort.conf to see the http_preprocessor configs and
the checked till how far snort processes the data length and it is set to 0.
So I think it should work in any case.

Can anyone please guide me on what could be the issue and how I can
resolve this?

Best Regards,Sujit

Joel Esler

Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL,
new data types, scalar functions, improved concurrency, built-in packages, 
OCI, SQL*Plus, data movement tools, best practices and more.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]