Re: Rule works in replay file mode, but not when sniffing

[Pavel Rantorski <fhjull01 () outlook com>]

Thank you for your answers.

When I use rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”Test file 
download”; content:”filename=“; fast_pattern:only; http_header;)

It behaves in a same way - won't fire when sniffing, fires when replayed.


You are correct that with --dirty-pig, no alert is generated even on replay with the sample I sent. I trimmed the 
sample I sent before, perhaps a bit too much. Larger pcap (hopefully with full session) can be found at:

http://img.dreamchaser.cz/testdata7.zip (8MB)

This sample fires both rules (mine + the one suggested by Joel Esler) even with --dirty-pig, but no results when 
sniffed directly.

Date: Fri, 12 Jul 2013 11:12:05 -0400
Subject: Re: [Snort-users] Rule works in replay file mode, but not when sniffing
From: rcombs () sourcefire com
To: jesler () sourcefire com
CC: fhjull01 () outlook com; snort-users () lists sourceforge net

I think you have something else going on.  Can you send a full session capture?

The capture you have is alerting in readback at shutdown.  To confirm, --dirty-pig to your command line and you won't 
get the alert.


The reason is Content-Length: 9156548 but you only have 4101 bytes in the capture.  Snort is trying to reassemble more 
data which never shows up.  You can get the alert to fire even with --dirty-pig if you change paf_max to something like 
3072.


If you want it fire in replay you need at least paf_max worth of the response body.

On Fri, Jul 12, 2013 at 10:10 AM, Joel Esler <jesler () sourcefire com> wrote:

What happens when you do a:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”Test file download”; content:”filename=“; fast_pattern:only; 
http_header;)


On Jul 12, 2013, at 9:05 AM, Pavel Rantorski <fhjull01 () outlook com> wrote:


Hello,
I'm testing a rule that should (eventually) detect download/upload of specific file types from public HTTP servers. I 
could not get the rule to trigger, so I simplified it to:


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test file download"; content:"Content-Disposition|3a|"; 
nocase; http_header; pcre:"/filename=/simH"; classtype:policy-violation; sid:1000004; rev:7;)


(the rule is nowhere near complete, it is simplified to be less prone to mistakes)

Unfortunatelly, the rule still does not work. I captured the traffic (on the same machine/interface that Snort was 
running) and verified that such packet is indeed there. When I let Snort analyze the traffic from this pcap file 
('snort -A console -c /etc/snort/snort.conf -r /tmp/testdata5.pcap -l . -u snort'), the rule is fired on console 
correctly.


The rule is (in standard, sniffing mode) sometimes triggered as well (although never from this particular server I am 
testing).

What could be the cause of this? Snort is running in IDS mode (not inline) and is not dropping packets. LRO and GRO are 
disabled on network adapter. I have tried running Snort with '-k none' without any results.


I have attached small pcap sample of the traffic I'm trying to catch - this is enough to trigger the rule in replay 
mode, but didn't trigger when sniffing.

Thank you,
Pavel

<testdata5.pcap>------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics

Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------

See everything from the browser to the database with AppDynamics

Get end-to-end visibility with application monitoring from AppDynamics

Isolate bottlenecks and diagnose root cause in seconds.

Start your free trial of AppDynamics Pro today!

http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________


Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!