Bug report - no content match on http_inspect port

[elof () sentor se]

Snort doesn't trigger alerts on traffic if that port is included in the 
http_inspect ports.


Example:

A basic rule:

alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established; 
content:"login|3A| root"; sid:1234; rev:1;)

If the snort.conf contain this http_inspect configuration, sid:1234 will 
never trigger even if a packet is seen containing "login: root" from port 
3128. Bug!

preprocessor http_inspect_server: server default profile all ports { 80 
3128 8080 } oversize_dir_length 500 no_alerts


If I remove port 3128 from the configuration and try again, I get an 
alert.

preprocessor http_inspect_server: server default profile all ports { 80 
8080 } oversize_dir_length 500 no_alerts


I tested it using this simple setup:
Server: echo "login: root" | nc -l 3128
Client: nc serverip 3128

When the client connect, I get a logged event using the second config.
When the client connect, I don't get any event using the first config.
This is reproduceable.

Could it be that http_inspect tries to normalise the string "login: root" 
and by doing so breaks it, so that there are no matches?

/Elof

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel