[Snort-inline-users] Snort_inline not detecting web attacks

[vishal_nitr <vis...@re...>]

Hi ALL,    I am using snort_inline-2.6.1.5 on my fedora 6 PC. I
wanted to use snort_inline as an IPS for my system so I was testing
snort_inline's  capability to detect web attacks. For this I wrote a
simple TCP client program which will send HTTP GET requests to my
system (I will be running this program on another machine in LAN) and
in that GET request I added a URI pattern from web-cgi.rules file whci
looks like "GET http://10.0.0.1/hsx.cgi HTTP/1.0 \r\nnn".When I executed the program snort_inline neither droped this packet nor it logged.I tested same thing with some other web attack patterns but with the same results.Is this a intended behaviour of snort_inline or am I doing some thing wrong. Below is my snort_inline.conf for reference.  var HOME_NET [10.0.0.1/32]  var HONEYNET any  var EXTERNAL_NET !$HOME_NET  var SMTP_SERVERS any  var TELNET_SERVERS any  var HTTP_SERVERS 10.0.0.1  var SQL_SERVERS any  var DNS_SERVERS any  var HTTP_PORTS 80# Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 #ports you want to look for SSH on var SSH_PORTS 22var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.18   
8.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH  /home/vishal/snort/ips_rulespreprocessor stickydrop: max_entries 50, logpreprocessor stickydrop-timeouts: sfportscan 60preprocessor stickydrop-ignorehosts: 10.0.0.1/32preprocessor flow: stats_interval 0 hash 2 preprocessor stream4:   disable_evasion_alerts,              stream4inline,  #            enforce_state drop,  #            midstream_drop_alerts,  #            state_file /var/log/ips/state_file.log,              state_file /var/log/state_file.log,              detect_scans,              memcap 100000000,              timeout 3600,              truncate,              window_size 3000,              detect_state_problems,              self_preservation_threshold 100,              self_preservation_period 30,             state_protection enable,              suspend_threshold 200,              suspend_period 60,              enable_udp_sessions,              max_udp_sessions 9000preprocessor stream4_reassemble: both, ports "default", favor_new preprocessor http_inspect: global     iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default      profile all ports { 80 8080 8180 } oversize_dir_length 500preprocessor rpc_decode: 111 32771preprocessor bopreprocessor telnet_decode: 21 23 25 119preprocessor ftp_telnet: global    encrypted_traffic yes    inspection_type stateful    check_encrypted preprocessor ftp_telnet_protocol: telnet     ports { 23 }     normalize     ayt_attack_thresh 10     detect_anomaliespreprocessor ftp_telnet_protocol: ftp server default     def_max_param_len 100     alt_max_param_len 200 { CWD }     cmd_validity MODE < char ASBCZ >     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >     chk_str_fmt { USER PASS RNFR RNTO SITE MKD }     telnet_cmds yes     data_chan preprocessor ftp_telnet_protocol: ftp client default     max_resp_len 256     bounce yes     telnet_cmds yes preprocessor smtp:    ports { 25 }    inspection_type stateful    normalize cmds    normalize_cmds { EXPN VRFY RCPT }    alt_max_command_line_len 260 { MAIL }    alt_max_command_line_len 300 { RCPT }    alt_max_command_line_len 500 { HELP HELO ETRN }    alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto  { all }                           memcap { 10000000 }                           scan_type { all }                           sense_level { medium }                           logfile { sfport_scan.log }preprocessor dcerpc:      autodetect      max_frag_size 3000      memcap 100000preprocessor dns:      ports { 53 }      enable_rdata_overflow output alert_fast: snort_inline-fastinclude $RULE_PATH/classification.config include $RULE_PATH/reference.config ### The Drop Rules # Enabled # include $RULE_PATH/test.rules  include $RULE_PATH/attack-responses.rules  include $RULE_PATH/bad-traffic.rules  include $RULE_PATH/misc.rules  include $RULE_PATH/scan.rules  include $RULE_PATH/exploit.rules  include $RULE_PATH/finger.rules  include $RULE_PATH/ftp.rules  include $RULE_PATH/telnet.rules  include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules  include $RULE_PATH/ddos.rules  include $RULE_PATH/dns.rules  include $RULE_PATH/tftp.rules  include $RULE_PATH/web-cgi.rules  include $RULE_PATH/web-coldfusion.rules  include $RULE_PATH/web-iis.rules  include $RULE_PATH/web-frontpage.rules  include $RULE_PATH/web-misc.rules  include $RULE_PATH/web-client.rules  include $RULE_PATH/web-php.rules  include $RULE_PATH/sql.rules  include $RULE_PATH/x11.rules  include $RULE_PATH/icmp.rules  include $RULE_PATH/netbios.rules  include $RULE_PATH/oracle.rules  include $RULE_PATH/mysql.rules  include $RULE_PATH/snmp.rules  include $RULE_PATH/smtp.rules  include $RULE_PATH/imap.rules  include $RULE_PATH/pop3.rules  include $RULE_PATH/pop2.rules  include $RULE_PATH/web-attacks.rules include $RULE_PATH/virus.rules  include $RULE_PATH/nntp.rules  include $RULE_PATH/other-ids.rules  include $RULE_PATH/backdoor.rules  include $RULE_PATH/shellcode.rules  include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules  include $RULE_PATH/info.rules  include $RULE_PATH/icmp-info.rules  include $RULE_PATH/chat.rules  include $RULE_PATH/multimedia.rules  include $RULE_PATH/p2p.rules  include $RULE_PATH/spyware-put.rules  include $RULE_PATH/voip.rules ### Bleeding Rules # include $RULE_PATH/bleeding-all.rules  include $RULE_PATH/bleeding.rules  include $RULE_PATH/bleeding-attack_response.rules  include $RULE_PATH/bleeding-botcc.rules  include $RULE_PATH/bleeding-dos.rules  include $RULE_PATH/bleeding-dshield.rules  include $RULE_PATH/bleeding-exploit.rules  include $RULE_PATH/bleeding-game.rules  include $RULE_PATH/bleeding-inappropriate.rules  include $RULE_PATH/bleeding-malware.rules  include $RULE_PATH/bleeding-p2p.rules  include $RULE_PATH/bleeding-policy.rules  include $RULE_PATH/bleeding-scan.rules  include $RULE_PATH/bleeding-virus.rules  include $RULE_PATH/bleeding-voip.rules  include $RULE_PATH/bleeding-web.rules  include $RULE_PATH/bleeding-custom.rules  include $RULE_PATH/bleeding-rbn.rules  include $RULE_PATH/bleeding-web_sql_injection.rules


Thanks and Regards,
Vishal Kotalwar,
Software Engineer,
Aricent,
Chennai-35.
09884074047.