Re: [Emerging-Sigs] http preprocessor issue (help!)

[Joel Esler <jesler () sourcefire com>]

CC'ing Snort-users list, as that list is more appropriate for engine
issues.  Do you have any thresholds in place?

I ran it against my Snort install with the stock VRT snort.conf and I got:

##### fixed_http_traffic_test.pcap #####
[1:1000010:1] NIRT_GET_TEST (alerts: 41)
[129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
(dropped)
[120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
RESPONSE (alerts: 1) (dropped)

http://www.snort.org/vrt/snort-conf-configurations/

--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




On Fri, Feb 8, 2013 at 1:49 PM, Dmitri <shadow000 () gmail com> wrote:

> Anybody had any weird issues with http preprocessor in snort or sourcefire?
>
> Been breaking my head on this for the past couple of weeks. At this point
> I am just testing these two:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_POST_TEST";
> content:"POST"; http_method; nocase; classtype:web-application-attack;
> rev:1; sid:1000009; )
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_GET_TEST";
> content:"GET"; http_method; nocase; classtype:web-application-attack;
> rev:1; sid:1000010; )
>
> here's what I am getting:
> root@bt:/etc/snort# snort -c ./snort.conf -A console -q -r
> /root/http_traffic_test.pcap
> 02/06-23:28:13.697928  [**] [1:1000010:1] NIRT_GET_TEST [**]
> [Classification: Web Application Attack] [Priority: 1] {TCP}
> 192.168.107.132:49750 -> 213.186.33.2:80
> root@bt:/etc/snort#
>
> As we can see fires just once, however there are tons of GET requests in
> the pcap.(pcap and snort.conf are attached)
>
> Any ideas or suggestions?
>
>
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4 GRE (Build 40)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 8.32 2012-11-30
>            Using ZLIB version: 1.2.3.3
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!