Re: [Emerging-Sigs] http preprocessor issue (help!)

[Joel Esler <jesler () sourcefire com>]

Apologies for yet ANOTHER response to myself.  I ran two tests.  One test
ignores checksums, the other test doesn't.

When I ran my "ignore checksum" test against your pcap, I got 41 alerts,
when I ran your pcap through my pcap does doesn't ignore checksums, I got
one alert.

When I fixed the checksums in the pcap, I get all 41 alerts (so basically,
you need to run your test with "-k none" in your Snort command line, or you
need to fix the checksums in your pcap).  Also note in the results below
that I remove all "flowbits:noalert;" from all rules to see which rules are
setting flowbits, etc.

First set of alerts is your pcap, the second set is your pcap with
checksums corrected (you can see far more alerts across the board than just
your rule in fact)

Alerts (*http_traffic_test.pcap*)
1:20478:8  FILE-IDENTIFY PNG file magic detected
 Alerts: 8
1:20483:11 FILE-IDENTIFY JPEG file magic detected
Alerts: 3
1:17394:10 FILE-IDENTIFY GIF file download request
 Alerts: 9
1:17380:9  FILE-IDENTIFY PNG file download request
 Alerts: 14
1:20452:11 FILE-IDENTIFY GZip file magic detected
Alerts: 1
*1:1000010:1 NIRT_GET_TEST
   Alerts: 1*
1:16406:10 FILE-IDENTIFY JPEG file download request
Alerts: 3

Alerts (*fixed_http_traffic_test.pcap*)
*1:1000010:1 NIRT_GET_TEST
   Alerts: 41*
1:20483:11 FILE-IDENTIFY JPEG file magic detected
Alerts: 3
1:17394:10 FILE-IDENTIFY GIF file download request
 Alerts: 9
1:16406:10 FILE-IDENTIFY JPEG file download request
Alerts: 3
1:20452:11 FILE-IDENTIFY GZip file magic detected
Alerts: 1
1:20459:8 FILE-IDENTIFY GIF file magic detected
 Alerts: 9
1:20478:8 FILE-IDENTIFY PNG file magic detected
 Alerts: 14
1:17380:9 FILE-IDENTIFY PNG file download request
 Alerts: 14


Sorry for so many emails.


On Sun, Feb 10, 2013 at 11:03 AM, Joel Esler <jesler () sourcefire com> wrote:

> BTW -- I know the pcap reads "fixed_http_traffic_test.pcap".  I have a
> system that corrects checksums when I put a pcap in my test directory.
>  Here is the same test ran with your pcap:
>
> ##### http_traffic_test.pcap #####
> [1:1000010:1] NIRT_GET_TEST (alerts: 41)
> [129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
> (dropped)
>  [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
> RESPONSE (alerts: 1) (dropped)
>
>
> On Sun, Feb 10, 2013 at 11:01 AM, Joel Esler <jesler () sourcefire com>wrote:
>
> > CC'ing Snort-users list, as that list is more appropriate for engine
> > issues.  Do you have any thresholds in place?
> >
> > I ran it against my Snort install with the stock VRT snort.conf and I got:
> >
> > ##### fixed_http_traffic_test.pcap #####
> > [1:1000010:1] NIRT_GET_TEST (alerts: 41)
> > [129:18:1] Data sent on stream after TCP Reset received (alerts: 1)
> > (dropped)
> >  [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
> > RESPONSE (alerts: 1) (dropped)
> >
> > http://www.snort.org/vrt/snort-conf-configurations/
> >
> > --
> > *Joel Esler*
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> >
> >
> >
> >
> > On Fri, Feb 8, 2013 at 1:49 PM, Dmitri <shadow000 () gmail com> wrote:
> >
> > > Anybody had any weird issues with http preprocessor in snort or
> > > sourcefire?
> > >
> > > Been breaking my head on this for the past couple of weeks. At this
> > > point I am just testing these two:
> > >
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_POST_TEST";
> > > content:"POST"; http_method; nocase; classtype:web-application-attack;
> > > rev:1; sid:1000009; )
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NIRT_GET_TEST";
> > > content:"GET"; http_method; nocase; classtype:web-application-attack;
> > > rev:1; sid:1000010; )
> > >
> > > here's what I am getting:
> > > root@bt:/etc/snort# snort -c ./snort.conf -A console -q -r
> > > /root/http_traffic_test.pcap
> > > 02/06-23:28:13.697928  [**] [1:1000010:1] NIRT_GET_TEST [**]
> > > [Classification: Web Application Attack] [Priority: 1] {TCP}
> > > 192.168.107.132:49750 -> 213.186.33.2:80
> > > root@bt:/etc/snort#
> > >
> > > As we can see fires just once, however there are tons of GET requests in
> > > the pcap.(pcap and snort.conf are attached)
> > >
> > > Any ideas or suggestions?
> > >
> > >
> > >
> > >    ,,_     -*> Snort! <*-
> > >   o"  )~   Version 2.9.4 GRE (Build 40)
> > >    ''''    By Martin Roesch & The Snort Team:
> > > http://www.snort.org/snort/snort-team
> > >            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> > >            Using libpcap version 1.0.0
> > >            Using PCRE version: 8.32 2012-11-30
> > >            Using ZLIB version: 1.2.3.3
> > >
> > >
> > > _______________________________________________
> > > Emerging-sigs mailing list
> > > Emerging-sigs () lists emergingthreats net
> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > >
> > > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > > http://www.emergingthreatspro.com
> > > The ONLY place to get complete premium rulesets for all versions of
> > > Suricata and Snort 2.4.0 through Current!
> >
> >
> >
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!