Menu
▾
▴
RE: [Snort-inline-users] uricontent matching v2
|
From: Brian J. <bja...@ci...> - 2004-04-02 14:18:21
|
Thanks Pieter for the subset of your config file, very useful. For the preprocessors it is identical to the one I use with 2.0.4 except for bo: which I don't use. The other thing that struck me is that the 'http_decode' and 'conversation' preprocessors are not included in the configuration file that comes with the 2.1 rules. I had assumed that these had been replaced. I wonder if this is the cause of the confusion? I will have to get a move on and get the rest of the system built and my snort_inline updated. Now I know what to play with / adjust to make it work. regards, Brian Pieter wrote:- >Ok, here is the test packet sent through > > >pieter@pc-dt:/tmp$ telnet 192.168.3.20 80 >Trying 192.168.3.20... >Connected to 192.168.3.20. >Escape character is '^]'. >GET %2fnos%20%68ite HTTP/1.0 > > >This session will then be closed because of the REJECT rule action. >the relevant snort.conf bits are: > >.... >preprocessor telnet_decode: >preprocessor http_decode: 80 unicode iis_alt_unicode double_encode >iis_flip_slash full_whitespace >preprocessor conversation: allowed_ip_protocols all, timeout 60, >max_conversations 32000 >preprocessor rpc_decode: 111 32771 >preprocessor bo: -nobrute >output log_unified: filename snort.log, limit 128 >... >reject tcp any any -> any any (msg:"test"; sid:2000000; rev:0; >classtype:not-suspicious; uricontent: "noshite";) >... > >Pieter > > > >On Fri, 2004-04-02 at 11:59, Brian Jameson wrote: >> Pieter wrote:- >> >> > Yes, the uricontent works and it decodes and drops packets that match >> > in inline mode. >> > >> > Pieter >> > >> > On Fri, 2004-04-02 at 02:43, William Metcalf wrote: >> >> Has anybody been able to confirm or deny that uricontent matching is >> >> broken in 2.1.1? I would like to know so that if its the >> >> configuration that I'm running with, I can start to look there. If >> >> not, I don't mind trying to fumble my way through some c code to try >> >> to get it to work, if some one could point me in the right >> >> direction. I tried looking at the diff and the sp_pattern_match.c >> >> file, is this the correct place to start? >> >> >> >> Regards, >> >> >> >> Will >> > >> >> Interesting, could the fact that some people say it works and some say it >> does not be down to configuration. Pieter any chance you could post(failing >> that send me) part of your config file. This may explain why William Metcalf >> and others are failing to match. It would certainly speed up my updating of >> snort_inline. >> >> regards, >> Brian |
