[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: Re: [Snort-devel] Snort-devel Digest, Vol 99, Issue 6
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2014-10-22 16:32:32
Message-ID: 1A237B56-080B-40A6-B080-FA2F694B9E09 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Not to our knowledge, no.
--
Joel Esler
iPhone
> On Oct 22, 2014, at 06:55, Muhammad Ridwan Zalbina <zalbinaridwan@gmail.com> wrote:
>
> Hello snort developers, sorry for "ASKING"
> Is there a way to programed or modify snort preprocessor and combine it with \
> modsecurity core rules set (CRS) ??
> Thanks !!
> Can somone tell me about this ...
>
> -M. Ridwan Zalbina
>
> > On Wed, Oct 22, 2014 at 8:16 PM, <snort-devel-request@lists.sourceforge.net> \
> > wrote: Send Snort-devel mailing list submissions to
> > snort-devel@lists.sourceforge.net
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > or, via email, send a message with subject or body 'help' to
> > snort-devel-request@lists.sourceforge.net
> >
> > You can reach the person managing the list at
> > snort-devel-owner@lists.sourceforge.net
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Snort-devel digest..."
> >
> >
> > Today's Topics:
> >
> > 1. byte_extract addition? (Mike Cox)
> > 2. Re: byte_extract addition? (Ed Borgoyn (eborgoyn))
> > 3. Re: Unable to kill a non-zombie process with -9 (fwd)
> > (elof2@sentor.se)
> > 4. Snort and core rules (Muhammad Ridwan Zalbina)
> > 5. fast_pattern not always longest content string by default?
> > (Mike Cox)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Thu, 9 Oct 2014 13:22:31 -0400
> > From: Mike Cox <mike.cox52@gmail.com>
> > Subject: [Snort-devel] byte_extract addition?
> > To: "snort-devel@lists.sourceforge.net"
> > <snort-devel@lists.sourceforge.net>
> > Message-ID:
> > <CANXgGSJip-=zeFDqL8xZ1Yw1tLC4i=QB2ZpSYduz8ouG_-XGLA@mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi Snort-Dev,
> >
> > I have come across a few situations in the past few weeks where it would be
> > useful to be able to do simple addition in rules without having to write a
> > SO rule. I know that Snort has the byte_extract functionality and you can
> > provide a multiplier value to the extracted bytes before it gets stored in
> > the variable. However, Are there any plans or thoughts that would allow
> > addition (similar to multiplier) of static values (or variables from
> > byte_extract) that would be applied to the extracted bytes before being
> > stored in the variable?
> >
> > Or could byte_test be expanded to include simple addition? For example, a
> > byte_test that checks if extracted_value1 > extracted_value2 + 12.
> >
> > Thanks.
> >
> > -Mike Cox
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 9 Oct 2014 18:44:04 +0000
> > From: "Ed Borgoyn (eborgoyn)" <eborgoyn@cisco.com>
> > Subject: Re: [Snort-devel] byte_extract addition?
> > To: Mike Cox <mike.cox52@gmail.com>,
> > "snort-devel@lists.sourceforge.net"
> > <snort-devel@lists.sourceforge.net>
> > Message-ID: <D05C4D8C.1D9CD%eborgoyn@cisco.com>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Hello Mike,
> > Thank you for the Snort improvement recommendation. Of your two options, I would \
> > vote to add an ADDER modifier to byte_extract to accompany the MULTIPLIER \
> > modifier.
> > I will vet the concept with the team. If appropriate I will place it on the \
> > Snort new feature list. (And provide you with the proper attribution.)
> > Best Regards,
> > Ed Borgoyn, The Snort Development Team @Cisco
> >
> >
> > From: Mike Cox <mike.cox52@gmail.com<mailto:mike.cox52@gmail.com>>
> > Date: Thursday, October 9, 2014 at 1:22 PM
> > To: "snort-devel@lists.sourceforge.net<mailto:snort-devel@lists.sourceforge.net>" \
> > <snort-devel@lists.sourceforge.net<mailto:snort-devel@lists.sourceforge.net>>
> >
> > Subject: [Snort-devel] byte_extract addition?
> >
> > Hi Snort-Dev,
> >
> > I have come across a few situations in the past few weeks where it would be \
> > useful to be able to do simple addition in rules without having to write a SO \
> > rule. I know that Snort has the byte_extract functionality and you can provide a \
> > multiplier value to the extracted bytes before it gets stored in the variable. \
> > However, Are there any plans or thoughts that would allow addition (similar to \
> > multiplier) of static values (or variables from byte_extract) that would be \
> > applied to the extracted bytes before being stored in the variable?
> > Or could byte_test be expanded to include simple addition? For example, a \
> > byte_test that checks if extracted_value1 > extracted_value2 + 12.
> > Thanks.
> >
> > -Mike Cox
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Wed, 15 Oct 2014 14:21:44 +0200 (CEST)
> > From: elof2@sentor.se
> > Subject: Re: [Snort-devel] Unable to kill a non-zombie process with -9
> > (fwd)
> > To: snort-devel mailinglist <snort-devel@lists.sourceforge.net>
> > Message-ID:
> > <alpine.BSF.2.00.1410151419080.33062@farmermaggot.shire.sentor.se>
> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> >
> >
> > Oops, this message didn't make it into the snort-devel list since I wasn't
> > registered.
> >
> > Here's a copy.
> >
> > See question 1 below. Is the problem located in snort, in FreeBSD 10.0 or
> > a combination of the two?
> >
> > /Elof
> >
> >
> > ---------- Forwarded message ----------
> > From: elof2@sentor.se
> > To: John-Mark Gurney <jmg@funkthat.com>
> > Cc: freebsd-net <freebsd-net@freebsd.org>,
> > snort-devel mailinglist <snort-devel@lists.sourceforge.net>
> > Date: Wed, 15 Oct 2014 11:41:33 +0200 (CEST)
> > Subject: Re: Unable to kill a non-zombie process with -9
> > In-Reply-To: <20141009222926.GC1852@funkthat.com>
> > References: <alpine.BSF.2.00.1410081310340.39263@farmermaggot.shire.sentor.se>
> > <20141009222926.GC1852@funkthat.com>
> >
> >
> > Hi!
> >
> > Today the problem reoccurred.
> > I've now debugged the problem a little furter.
> >
> > I'm starting snort (as root).
> >
> > <<<lots of startup logs for pid 22646>>>
> > Oct 15 08:46:59 snort[22646]: Initializing daemon mode
> > Oct 15 08:46:59 snort[22648]: Daemon initialized, signaled parent pid: 22646
> > Oct 15 08:46:59 snort[22648]: Reload thread starting...
> > Oct 15 08:46:59 snort[22648]: Reload thread started, thread 0x8146e8800 (22648)
> > End of log.
> >
> > Error! Nothing more happens with the snort process!
> > Normally it should continue and log these lines as well:
> >
> >
> > snort[nnn]: Decoding Ethernet
> > snort[nnn]: Checking PID path...
> > snort[nnn]: PID path stat checked out ok, PID path set to /var/run/
> > snort[nnn]: Writing PID "7627" to file "/var/run//snort_mon0.pid"
> > snort[nnn]: Chroot directory = /usr/foobar/log
> > snort[nnn]: Set gid to 100
> > snort[nnn]: Set uid to 100
> > snort[nnn]:
> > snort[nnn]: --== Initialization Complete ==--
> > snort[nnn]: Commencing packet processing (pid=nnn)
> >
> >
> >
> >
> >
> > When looking at this half-started snort process with 'ps', it looks like this:
> >
> > ps faxulwwj 22648
> > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND UID PPID
> > CPU PRI NI MWCHAN PGID SID JOBC
> > root 22648 51.8 1.1 488552 179344 - Rs 8:46AM 53:06.52 /usr/local/bin/s
> > 0 1 0 88 0 - 22648 22648 0
> >
> >
> > The process is still owned by root, so just as the missing log lines are
> > saying, it has not yet performed any change of uid/gid.
> >
> >
> >
> >
> > So there seem to be two questions.
> >
> > Q1)
> > What happens between "Reload thread started, thread 0x8146e8800 (22648)" and
> > "Decoding Ethernet"?
> > Apparently something goes wrong here on FreeBSD 10.0.
> > (this problem does not always occur, sometimes snort start just fine)
> >
> > Q2)
> > When the process has frozen in this half-started state, it can't be killed even
> > with a -9. Why?
> >
> >
> >
> >
> > John-Mark asked me for some debugging info. Here it is:
> >
> > I now run 'kill 22648' on the above semi-started process:
> >
> > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND UID
> > PPID CPU PRI NI MWCHAN PGID SID JOBC
> > old root 22648 51.8 1.1 488552 179344 - Rs 8:46AM 53:06.52
> > /usr/local/bin/s 0 1 0 88 0 - 22648 22648 0
> > new root 22648 52.3 1.1 488552 179344 - Rs 8:46AM 53:36.48
> > /usr/local/bin/s 0 1 0 52 0 - 22648 22648 0
> >
> > No change.
> >
> >
> >
> > kill -9 22648
> >
> > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND UID
> > PPID CPU PRI NI MWCHAN PGID SID JOBC
> > old root 22648 51.8 1.1 488552 179344 - Rs 8:46AM 53:06.52
> > /usr/local/bin/s 0 1 0 88 0 - 22648 22648 0
> > new root 22648 37.7 1.1 488552 179344 - Ts 8:46AM 53:50.87
> > /usr/local/bin/s 0 1 0 52 0 - 22648 22648 0
> >
> > Less CPU-usage and STAT changed to "Ts".
> >
> >
> >
> >
> > kill -CONT 22648
> >
> > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND UID
> > PPID CPU PRI NI MWCHAN PGID SID JOBC
> > old root 22648 51.8 1.1 488552 179344 - Rs 8:46AM 53:06.52
> > /usr/local/bin/s 0 1 0 88 0 - 22648 22648 0
> > new root 22648 0.0 1.1 488552 179344 - Ts 8:46AM 53:50.88
> > /usr/local/bin/s 0 1 0 52 0 - 22648 22648 0
> >
> > No change except cpu is down to 0.
> >
> >
> > I now start 'kgdb'
> > info threads
> > I found two threads for snort, doing a bt for both of them:
> > 372 Thread 100602 (PID=22648: snort) sched_switch (td=0xfffff802c061f490,
> > newtd=<value optimized out>, flags=<value optimized out>) at
> > /usr/src/sys/kern/sched_ule.c:1962
> > 371 Thread 100598 (PID=22648: snort) sched_switch (td=0xfffff80221857000,
> > newtd=<value optimized out>, flags=<value optimized out>) at
> > /usr/src/sys/kern/sched_ule.c:1962
> > thread 372
> > [Switching to thread 372 (Thread 100602)]#0 sched_switch
> > (td=0xfffff802c061f490, newtd=<value optimized out>, flags=<value optimized
> > out>) at /usr/src/sys/kern/sched_ule.c:1962
> > 1962 in /usr/src/sys/kern/sched_ule.c
> > bt
> > #0 sched_switch (td=0xfffff802c061f490, newtd=<value optimized out>,
> > flags=<value optimized out>) at /usr/src/sys/kern/sched_ule.c:1962
> > #1 0xffffffff808b8c1e in mi_switch (flags=266, newtd=0x0) at
> > /usr/src/sys/kern/kern_synch.c:494
> > #2 0xffffffff808c04b0 in thread_suspend_switch (td=0xfffff802c061f490) at
> > /usr/src/sys/kern/kern_thread.c:883
> > #3 0xffffffff808c0276 in thread_single (mode=1) at
> > /usr/src/sys/kern/kern_thread.c:713
> > #4 0xffffffff8087c1bb in exit1 (td=0xfffff802c061f490, rv=9) at
> > /usr/src/sys/kern/kern_exit.c:180
> > #5 0xffffffff808b2faf in sigexit (td=<value optimized out>, sig=<value
> > optimized out>) at /usr/src/sys/kern/kern_sig.c:2935
> > #6 0xffffffff808b3669 in postsig (sig=<value optimized out>) at
> > /usr/src/sys/kern/kern_sig.c:2822
> > #7 0xffffffff808f6f57 in ast (framep=<value optimized out>) at
> > /usr/src/sys/kern/subr_trap.c:271
> > #8 0xffffffff80c75870 in Xfast_syscall () at
> > /usr/src/sys/amd64/amd64/exception.S:416
> > #9 0x0000000801d6f19a in ?? ()
> > Previous frame inner to this frame (corrupt stack?)
> >
> >
> > thread 371
> > [Switching to thread 371 (Thread 100598)]#0 sched_switch
> > (td=0xfffff80221857000, newtd=<value optimized out>, flags=<value optimized
> > out>) at /usr/src/sys/kern/sched_ule.c:1962
> > 1962 in /usr/src/sys/kern/sched_ule.c
> > bt
> > #0 sched_switch (td=0xfffff80221857000, newtd=<value optimized out>,
> > flags=<value optimized out>) at /usr/src/sys/kern/sched_ule.c:1962
> > #1 0xffffffff808b8c1e in mi_switch (flags=260, newtd=0x0) at
> > /usr/src/sys/kern/kern_synch.c:494
> > #2 0xffffffff808f2e3a in sleepq_wait (wchan=0x0, pri=0) at
> > /usr/src/sys/kern/subr_sleepqueue.c:620
> > #3 0xffffffff80864aad in _cv_wait (cvp=0xffffffff8147a500,
> > lock=0xffffffff8147a480) at /usr/src/sys/kern/kern_condvar.c:139
> > #4 0xffffffff808fb05f in vmem_xalloc (vm=0xffffffff8147a480, size0=<value
> > optimized out>, align=<value optimized out>, phase=0, nocross=<value optimized
> > out>, minaddr=0, maxaddr=18446735286768857088, flags=8194, addrp=<value
> > optimized out>) at /usr/src/sys/kern/subr_vmem.c:1196
> > #5 0xffffffff808fae6b in vmem_alloc (vm=0x0, size=0, flags=<value optimized
> > out>, addrp=0xfffffe0466e1d6e8) at /usr/src/sys/kern/subr_vmem.c:1082
> > #6 0xffffffff80b0fa58 in kmem_malloc (vmem=0xffffffff8147a480,
> > size=2139729920, flags=2) at /usr/src/sys/vm/vm_kern.c:314
> > #7 0xffffffff80b08dfb in uma_large_malloc (size=<value optimized out>, wait=2)
> > at /usr/src/sys/vm/uma_core.c:1006
> > #8 0xffffffff80898cf3 in malloc (size=2139729920, mtp=0xffffffff813a0450,
> > flags=0) at /usr/src/sys/kern/kern_malloc.c:520
> > #9 0xffffffff8096307b in bpf_buffer_ioctl_sblen (d=0xfffff80159ea9000,
> > i=<value optimized out>) at /usr/src/sys/net/bpf_buffer.c:183
> > #10 0xffffffff80960a3c in bpfioctl (dev=0x0, cmd=<value optimized out>,
> > addr=0xfffff801fbd06b40 "", flags=0, td=0xfffff80221857000) at
> > /usr/src/sys/net/bpf.c:408
> > #11 0xffffffff807ac1df in devfs_ioctl_f (fp=0xfffff8002b3d9d20, com=3221504614,
> > data=0xfffff801fbd06b40, cred=<value optimized out>, td=0xfffff80221857000) at
> > /usr/src/sys/fs/devfs/devfs_vnops.c:757
> > #12 0xffffffff808fdfae in kern_ioctl (td=0xfffff80221857000, fd=<value
> > optimized out>, com=0) at file.h:319
> > #13 0xffffffff808fdd2f in sys_ioctl (td=0xfffff80221857000,
> > uap=0xfffffe0466e1da40) at /usr/src/sys/kern/sys_generic.c:702
> > #14 0xffffffff80c8f117 in amd64_syscall (td=0xfffff80221857000, traced=0) at
> > subr_syscall.c:134
> > #15 0xffffffff80c7580b in Xfast_syscall () at
> > /usr/src/sys/amd64/amd64/exception.S:391
> > #16 0x0000000801d8f08a in ?? ()
> > Previous frame inner to this frame (corrupt stack?)
> >
> >
> > Let me know if I can debug this any further.
> >
> > /Elof
> >
> >
> >
> > On Thu, 9 Oct 2014, John-Mark Gurney wrote:
> >
> > > elof2@sentor.se wrote this message on Wed, Oct 08, 2014 at 13:30 +0200:
> > > >
> > > > I guess this is a bug report for FreeBSD 10.0.
> > > >
> > > >
> > > >
> > > > Sometimes I can't kill my snort process on FreeBSD 10.0.
> > > > It won't die, even with kill -9.
> > > >
> > > > I'm not talking about a zombie process. Snort is a process that should
> > > > die normally.
> > > > I've run snort on over 100 nodes since FreeBSD v6.x and I've never seen
> > > > this behavior until now in FreeBSD 10.0.
> > > >
> > > >
> > > > Example:
> > > >
> > > > #ps faxuw
> > > > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME
> > > > COMMAND
> > > > root 49222 53.4 2.2 492648 183012 - Rs 11:46AM 7:05.59
> > > > /usr/local/bin/snort -q -D -c snort.conf
> > > > root 47937 0.0 2.2 488552 182864 - Ts 10:56AM 29:35.98
> > > > /usr/local/bin/snort -q -D -c snort.conf
> > >
> > > What is the MWCHAN? add l to the ps command...
> > >
> > > > The pid 47937 has been killed (repeatedly) with -9.
> > > > Its status is "Ts" meaning it is Stopped.
> > >
> > > have you tried to kill -CONT <pid> to resume it?
> > >
> > > > But it won't actually die and disappear. The only way to get rid of it
> > > > seem to be to reboot the machine. :-(
> > > >
> > > > (pid 49222 is the new process that was started after 47937 was killed)
> > > >
> > > >
> > > > The problem doesn't happen all the time and I haven't found any patterns
> > > > as to when it does. :-(
> > > > If I restart snort once every day, it fails to die approximately 2-4 times
> > > > per month.
> > > > Even though the problem doesn't happen on every kill, it is a definately a
> > > > recurring event.
> > >
> > > Can you run kgdb on the machine? (yes, it works on a live machine), use
> > > info threads to find the thread id, and then use thread <threadid> to
> > > switch to it, and run bt to get a back trace...
> > >
> > > > I began to see it on a heavily loaded 10GE sensor, so I thought it could
> > > > have something to do with the ix driver, or the heavy load.
> > > > But now another FreeBSD 10.0-sensor had the exact same problem, and this
> > > > sensor don't have any 10GE NICs. In fact, this sensor has been running
> > > > just fine with both FreeBSD 9.1 and 9.3 for the past years. Snort has
> > > > always terminated correctly! After I reinstalled this machine with FreeBSD
> > > > 10.0 last friday, snort has then terminated correctly every day until
> > > > today, when it failed with the above pid 47937. (this sensor use the 'em'
> > > > driver, not 'ixgbe')
> > > >
> > > > I'm running snort with the same configuration, settings, version, daq,
> > > > libs, etc on 10.0 as I do on 9.3.
> > > > None of the 9.3 sensors have this problem, so it has to be something new
> > > > in FreeBSD 10.0.
> > >
> > > --
> > > John-Mark Gurney Voice: +1 415 225 5579
> > >
> > > "All that I will do, has been done, All that I have, has not."
> > >
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Fri, 17 Oct 2014 10:21:17 +0700
> > From: Muhammad Ridwan Zalbina <zalbinaridwan@gmail.com>
> > Subject: [Snort-devel] Snort and core rules
> > To: "snort-devel@lists.sourceforge.net"
> > <snort-devel@lists.sourceforge.net>
> > Message-ID: <62F37D2C-C6A5-4F47-8DA0-856B5026C483@gmail.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> > hey, morning here, my name is m. ridwan zalbina and i'm a comp.eng student
> > i want to ask something about NIDS (snort) and how to cooperate to modsecurity ?? \
> > is there away to do that in http inspect preprocessor ?? if so, would you tell me \
> > about this ?
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Wed, 22 Oct 2014 09:16:08 -0400
> > From: Mike Cox <mike.cox52@gmail.com>
> > Subject: [Snort-devel] fast_pattern not always longest content string
> > by default?
> > To: "snort-devel@lists.sourceforge.net"
> > <snort-devel@lists.sourceforge.net>
> > Message-ID:
> > <CANXgGSLz8UfY7L7s0CWG+eZcuR=861V2A1DQYGyizWgHvOggeg@mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi All,
> >
> > I was looking thru some of my sigs with 'debug-print-fast-pattern' turned
> > on and noticed that the fast pattern string was not always the longest
> > content match by default. Specifically, it appears that content matches in
> > (valid for fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri,
> > etc.) are taking priority. For example, consider this sig:
> >
> > alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";
> > flow:established,to_server; content:"twitter.com"; http_header;
> > content:"hellow Twitter tweet"; sid:1234567;)
> >
> > The longest content match is "hellow Twitter tweet" but when I look at the
> > fast pattern debug output, the fast pattern used is "twitter.com".
> >
> > Having the HTTP Inspect buffers take priority makes sense because they will
> > be smaller than the entire packet and thus more efficient. However, I do
> > not see this behavior documented in the manual which says, "the default
> > behavior of fast pattern determination is to use the longest content in the
> > rule..."
> >
> > Can someone comment/confirm this? It is looking like I may have to
> > review/tweak a plethora of sigs.... :(
> >
> > Thanks!
> >
> > -Mike Cox
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> > ------------------------------------------------------------------------------
> > Comprehensive Server Monitoring with Site24x7.
> > Monitor 10 servers for $9/Month.
> > Get alerted through email, SMS, voice calls or mobile push notifications.
> > Take corrective actions from your mobile device.
> > http://p.sf.net/sfu/Zoho
> >
> > ------------------------------
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >
> > End of Snort-devel Digest, Vol 99, Issue 6
> > ******************************************
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Not to our knowledge, \
no. <br><br>--<div>Joel Esler</div><div>iPhone</div></div><div><br>On Oct 22, \
2014, at 06:55, Muhammad Ridwan Zalbina <<a \
href="mailto:zalbinaridwan@gmail.com">zalbinaridwan@gmail.com</a>> \
wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" \
content="text/html; charset=utf-8"><div dir="ltr"><div><div><div><div><div>Hello \
snort developers, sorry for "ASKING"<br></div>Is there a way to programed or modify \
snort preprocessor and combine it with modsecurity core rules set (CRS) \
??<br><br></div>Thanks !! <br></div>Can somone tell me about this ... \
<br></div><br></div>-M. Ridwan Zalbina<br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Wed, Oct 22, 2014 at 8:16 PM, <span dir="ltr"><<a \
href="mailto:snort-devel-request@lists.sourceforge.net" \
target="_blank">snort-devel-request@lists.sourceforge.net</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex">Send Snort-devel mailing list submissions to<br> \
<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a \
href="https://lists.sourceforge.net/lists/listinfo/snort-devel" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br> or, \
via email, send a message with subject or body 'help' to<br> \
<a href="mailto:snort-devel-request@lists.sourceforge.net">snort-devel-request@lists.sourceforge.net</a><br>
<br>
You can reach the person managing the list at<br>
<a \
href="mailto:snort-devel-owner@lists.sourceforge.net">snort-devel-owner@lists.sourceforge.net</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Snort-devel digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. byte_extract addition? (Mike Cox)<br>
2. Re: byte_extract addition? (Ed Borgoyn (eborgoyn))<br>
3. Re: Unable to kill a non-zombie process with -9 (fwd)<br>
(<a href="mailto:elof2@sentor.se">elof2@sentor.se</a>)<br>
4. Snort and core rules (Muhammad Ridwan Zalbina)<br>
5. fast_pattern not always longest content string by default?<br>
(Mike Cox)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 9 Oct 2014 13:22:31 -0400<br>
From: Mike Cox <<a \
href="mailto:mike.cox52@gmail.com">mike.cox52@gmail.com</a>><br>
Subject: [Snort-devel] byte_extract addition?<br>
To: "<a href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>"<br>
<<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>><br>
Message-ID:<br>
<CANXgGSJip-=zeFDqL8xZ1Yw1tLC4i=<a \
href="mailto:QB2ZpSYduz8ouG_-XGLA@mail.gmail.com">QB2ZpSYduz8ouG_-XGLA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi Snort-Dev,<br>
<br>
I have come across a few situations in the past few weeks where it would be<br>
useful to be able to do simple addition in rules without having to write a<br>
SO rule. I know that Snort has the byte_extract functionality and you can<br>
provide a multiplier value to the extracted bytes before it gets stored in<br>
the variable. However, Are there any plans or thoughts that would allow<br>
addition (similar to multiplier) of static values (or variables from<br>
byte_extract) that would be applied to the extracted bytes before being<br>
stored in the variable?<br>
<br>
Or could byte_test be expanded to include simple addition? For example, a<br>
byte_test that checks if extracted_value1 > extracted_value2 + 12.<br>
<br>
Thanks.<br>
<br>
-Mike Cox<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 9 Oct 2014 18:44:04 +0000<br>
From: "Ed Borgoyn (eborgoyn)" <<a \
href="mailto:eborgoyn@cisco.com">eborgoyn@cisco.com</a>><br>
Subject: Re: [Snort-devel] byte_extract addition?<br>
To: Mike Cox <<a href="mailto:mike.cox52@gmail.com">mike.cox52@gmail.com</a>>,<br>
"<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>"<br>
<<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>><br>
Message-ID: <<a href="mailto:D05C4D8C.1D9CD%25eborgoyn@cisco.com">D05C4D8C.1D9CD%eborgoyn@cisco.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hello Mike,<br>
Thank you for the Snort improvement recommendation. Of your two options, \
I would vote to add an ADDER modifier to byte_extract to accompany the MULTIPLIER \
modifier.<br> <br>
I will vet the concept with the team. If appropriate I will place it on \
the Snort new feature list. (And provide you with the proper attribution.)<br> \
<br> Best Regards,<br>
Ed Borgoyn, The Snort Development Team @Cisco<br>
<br>
<br>
From: Mike Cox <<a \
href="mailto:mike.cox52@gmail.com">mike.cox52@gmail.com</a><mailto:<a \
href="mailto:mike.cox52@gmail.com">mike.cox52@gmail.com</a>>><br>
Date: Thursday, October 9, 2014 at 1:22 PM<br>
To: "<a href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a><mailto:<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>>" \
<<a href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a><mailto:<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>>><br>
Subject: [Snort-devel] byte_extract addition?<br>
<br>
Hi Snort-Dev,<br>
<br>
I have come across a few situations in the past few weeks where it would be useful to \
be able to do simple addition in rules without having to write a SO rule. I \
know that Snort has the byte_extract functionality and you can provide a multiplier \
value to the extracted bytes before it gets stored in the variable. However, \
Are there any plans or thoughts that would allow addition (similar to multiplier) of \
static values (or variables from byte_extract) that would be applied to the extracted \
bytes before being stored in the variable?<br> <br>
Or could byte_test be expanded to include simple addition? For example, a \
byte_test that checks if extracted_value1 > extracted_value2 + 12.<br> <br>
Thanks.<br>
<br>
-Mike Cox<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Wed, 15 Oct 2014 14:21:44 +0200 (CEST)<br>
From: <a href="mailto:elof2@sentor.se">elof2@sentor.se</a><br>
Subject: Re: [Snort-devel] Unable to kill a non-zombie process with -9<br>
(fwd)<br>
To: snort-devel mailinglist <<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>><br>
Message-ID:<br>
<<a \
href="mailto:alpine.BSF.2.00.1410151419080.33062@farmermaggot.shire.sentor.se">alpine.BSF.2.00.1410151419080.33062@farmermaggot.shire.sentor.se</a>><br>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed<br>
<br>
<br>
Oops, this message didn't make it into the snort-devel list since I wasn't<br>
registered.<br>
<br>
Here's a copy.<br>
<br>
See question 1 below. Is the problem located in snort, in FreeBSD 10.0 or<br>
a combination of the two?<br>
<br>
/Elof<br>
<br>
<br>
---------- Forwarded message ----------<br>
From: <a href="mailto:elof2@sentor.se">elof2@sentor.se</a><br>
To: John-Mark Gurney <<a \
href="mailto:jmg@funkthat.com">jmg@funkthat.com</a>><br>
Cc: freebsd-net <<a \
href="mailto:freebsd-net@freebsd.org">freebsd-net@freebsd.org</a>>,<br> \
snort-devel mailinglist <<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>><br>
Date: Wed, 15 Oct 2014 11:41:33 +0200 (CEST)<br>
Subject: Re: Unable to kill a non-zombie process with -9<br>
In-Reply-To: <<a href="mailto:20141009222926.GC1852@funkthat.com">20141009222926.GC1852@funkthat.com</a>><br>
References: <<a href="mailto:alpine.BSF.2.00.1410081310340.39263@farmermaggot.shire \
.sentor.se">alpine.BSF.2.00.1410081310340.39263@farmermaggot.shire.sentor.se</a>><br>
<<a \
href="mailto:20141009222926.GC1852@funkthat.com">20141009222926.GC1852@funkthat.com</a>><br>
<br>
<br>
Hi!<br>
<br>
Today the problem reoccurred.<br>
I've now debugged the problem a little furter.<br>
<br>
I'm starting snort (as root).<br>
<br>
<<<lots of startup logs for pid 22646>>><br>
Oct 15 08:46:59 snort[22646]: Initializing daemon mode<br>
Oct 15 08:46:59 snort[22648]: Daemon initialized, signaled parent pid: 22646<br>
Oct 15 08:46:59 snort[22648]: Reload thread starting...<br>
Oct 15 08:46:59 snort[22648]: Reload thread started, thread 0x8146e8800 (22648)<br>
End of log.<br>
<br>
Error! Nothing more happens with the snort process!<br>
Normally it should continue and log these lines as well:<br>
<br>
<br>
snort[nnn]: Decoding Ethernet<br>
snort[nnn]: Checking PID path...<br>
snort[nnn]: PID path stat checked out ok, PID path set to /var/run/<br>
snort[nnn]: Writing PID "7627" to file "/var/run//snort_mon0.pid"<br>
snort[nnn]: Chroot directory = /usr/foobar/log<br>
snort[nnn]: Set gid to 100<br>
snort[nnn]: Set uid to 100<br>
snort[nnn]:<br>
snort[nnn]: --== Initialization Complete ==--<br>
snort[nnn]: Commencing packet processing (pid=nnn)<br>
<br>
<br>
<br>
<br>
<br>
When looking at this half-started snort process with 'ps', it looks like this:<br>
<br>
ps faxulwwj 22648<br>
USER PID %CPU %MEM VSZ RSS TT STAT \
STARTED TIME COMMAND UID PPID<br> CPU PRI NI MWCHAN \
PGID SID JOBC<br> root 22648 51.8 1.1 488552 179344 - \
Rs 8:46AM 53:06.52 /usr/local/bin/s<br> 0 1 \
0 88 0 - 22648 22648 0<br> <br>
<br>
The process is still owned by root, so just as the missing log lines are<br>
saying, it has not yet performed any change of uid/gid.<br>
<br>
<br>
<br>
<br>
So there seem to be two questions.<br>
<br>
Q1)<br>
What happens between "Reload thread started, thread 0x8146e8800 (22648)" and<br>
"Decoding Ethernet"?<br>
Apparently something goes wrong here on FreeBSD 10.0.<br>
(this problem does not always occur, sometimes snort start just fine)<br>
<br>
Q2)<br>
When the process has frozen in this half-started state, it can't be killed even<br>
with a -9. Why?<br>
<br>
<br>
<br>
<br>
John-Mark asked me for some debugging info. Here it is:<br>
<br>
I now run 'kill 22648' on the above semi-started process:<br>
<br>
USER PID %CPU %MEM VSZ RSS \
TT STAT STARTED TIME COMMAND UID<br> PPID CPU PRI NI \
MWCHAN PGID SID JOBC<br> old root 22648 51.8 1.1 488552 \
179344 - Rs 8:46AM 53:06.52<br>
/usr/local/bin/s 0 1 0 88 0 - \
22648 22648 0<br> new root 22648 52.3 1.1 488552 \
179344 - Rs 8:46AM 53:36.48<br>
/usr/local/bin/s 0 1 0 52 0 - \
22648 22648 0<br> <br>
No change.<br>
<br>
<br>
<br>
kill -9 22648<br>
<br>
USER PID %CPU %MEM VSZ RSS \
TT STAT STARTED TIME COMMAND UID<br> PPID CPU PRI NI \
MWCHAN PGID SID JOBC<br> old root 22648 51.8 1.1 488552 \
179344 - Rs 8:46AM 53:06.52<br>
/usr/local/bin/s 0 1 0 88 0 - \
22648 22648 0<br> new root 22648 37.7 1.1 488552 \
179344 - Ts 8:46AM 53:50.87<br>
/usr/local/bin/s 0 1 0 52 0 - \
22648 22648 0<br> <br>
Less CPU-usage and STAT changed to "Ts".<br>
<br>
<br>
<br>
<br>
kill -CONT 22648<br>
<br>
USER PID %CPU %MEM VSZ RSS \
TT STAT STARTED TIME COMMAND UID<br> PPID CPU PRI NI \
MWCHAN PGID SID JOBC<br> old root 22648 51.8 1.1 488552 \
179344 - Rs 8:46AM 53:06.52<br>
/usr/local/bin/s 0 1 0 88 0 - \
22648 22648 0<br> new root 22648 0.0 1.1 \
488552 179344 - Ts 8:46AM 53:50.88<br>
/usr/local/bin/s 0 1 0 52 0 - \
22648 22648 0<br> <br>
No change except cpu is down to 0.<br>
<br>
<br>
I now start 'kgdb'<br>
info threads<br>
I found two threads for snort, doing a bt for both of them:<br>
372 Thread 100602 (PID=22648: snort) sched_switch \
(td=0xfffff802c061f490,<br> newtd=<value optimized out>, flags=<value \
optimized out>) at<br>
/usr/src/sys/kern/sched_ule.c:1962<br>
371 Thread 100598 (PID=22648: snort) sched_switch \
(td=0xfffff80221857000,<br> newtd=<value optimized out>, flags=<value \
optimized out>) at<br>
/usr/src/sys/kern/sched_ule.c:1962<br>
thread 372<br>
[Switching to thread 372 (Thread 100602)]#0 sched_switch<br>
(td=0xfffff802c061f490, newtd=<value optimized out>, flags=<value \
optimized<br> out>) at /usr/src/sys/kern/sched_ule.c:1962<br>
1962 in /usr/src/sys/kern/sched_ule.c<br>
bt<br>
#0 sched_switch (td=0xfffff802c061f490, newtd=<value optimized out>,<br>
flags=<value optimized out>) at /usr/src/sys/kern/sched_ule.c:1962<br>
#1 0xffffffff808b8c1e in mi_switch (flags=266, newtd=0x0) at<br>
/usr/src/sys/kern/kern_synch.c:494<br>
#2 0xffffffff808c04b0 in thread_suspend_switch (td=0xfffff802c061f490) at<br>
/usr/src/sys/kern/kern_thread.c:883<br>
#3 0xffffffff808c0276 in thread_single (mode=1) at<br>
/usr/src/sys/kern/kern_thread.c:713<br>
#4 0xffffffff8087c1bb in exit1 (td=0xfffff802c061f490, rv=9) at<br>
/usr/src/sys/kern/kern_exit.c:180<br>
#5 0xffffffff808b2faf in sigexit (td=<value optimized out>, \
sig=<value<br> optimized out>) at /usr/src/sys/kern/kern_sig.c:2935<br>
#6 0xffffffff808b3669 in postsig (sig=<value optimized out>) at<br>
/usr/src/sys/kern/kern_sig.c:2822<br>
#7 0xffffffff808f6f57 in ast (framep=<value optimized out>) at<br>
/usr/src/sys/kern/subr_trap.c:271<br>
#8 0xffffffff80c75870 in Xfast_syscall () at<br>
/usr/src/sys/amd64/amd64/exception.S:416<br>
#9 0x0000000801d6f19a in ?? ()<br>
Previous frame inner to this frame (corrupt stack?)<br>
<br>
<br>
thread 371<br>
[Switching to thread 371 (Thread 100598)]#0 sched_switch<br>
(td=0xfffff80221857000, newtd=<value optimized out>, flags=<value \
optimized<br> out>) at /usr/src/sys/kern/sched_ule.c:1962<br>
1962 in /usr/src/sys/kern/sched_ule.c<br>
bt<br>
#0 sched_switch (td=0xfffff80221857000, newtd=<value optimized out>,<br>
flags=<value optimized out>) at /usr/src/sys/kern/sched_ule.c:1962<br>
#1 0xffffffff808b8c1e in mi_switch (flags=260, newtd=0x0) at<br>
/usr/src/sys/kern/kern_synch.c:494<br>
#2 0xffffffff808f2e3a in sleepq_wait (wchan=0x0, pri=0) at<br>
/usr/src/sys/kern/subr_sleepqueue.c:620<br>
#3 0xffffffff80864aad in _cv_wait (cvp=0xffffffff8147a500,<br>
lock=0xffffffff8147a480) at /usr/src/sys/kern/kern_condvar.c:139<br>
#4 0xffffffff808fb05f in vmem_xalloc (vm=0xffffffff8147a480, \
size0=<value<br> optimized out>, align=<value optimized out>, phase=0, \
nocross=<value optimized<br> out>, minaddr=0, maxaddr=18446735286768857088, \
flags=8194, addrp=<value<br> optimized out>) at \
/usr/src/sys/kern/subr_vmem.c:1196<br> #5 0xffffffff808fae6b in vmem_alloc \
(vm=0x0, size=0, flags=<value optimized<br> out>, addrp=0xfffffe0466e1d6e8) at \
/usr/src/sys/kern/subr_vmem.c:1082<br> #6 0xffffffff80b0fa58 in kmem_malloc \
(vmem=0xffffffff8147a480,<br> size=2139729920, flags=2) at \
/usr/src/sys/vm/vm_kern.c:314<br> #7 0xffffffff80b08dfb in uma_large_malloc \
(size=<value optimized out>, wait=2)<br> at /usr/src/sys/vm/uma_core.c:1006<br>
#8 0xffffffff80898cf3 in malloc (size=2139729920, mtp=0xffffffff813a0450,<br>
flags=0) at /usr/src/sys/kern/kern_malloc.c:520<br>
#9 0xffffffff8096307b in bpf_buffer_ioctl_sblen (d=0xfffff80159ea9000,<br>
i=<value optimized out>) at /usr/src/sys/net/bpf_buffer.c:183<br>
#10 0xffffffff80960a3c in bpfioctl (dev=0x0, cmd=<value optimized out>,<br>
addr=0xfffff801fbd06b40 "", flags=0, td=0xfffff80221857000) at<br>
/usr/src/sys/net/bpf.c:408<br>
#11 0xffffffff807ac1df in devfs_ioctl_f (fp=0xfffff8002b3d9d20, com=3221504614,<br>
data=0xfffff801fbd06b40, cred=<value optimized out>, td=0xfffff80221857000) \
at<br>
/usr/src/sys/fs/devfs/devfs_vnops.c:757<br>
#12 0xffffffff808fdfae in kern_ioctl (td=0xfffff80221857000, fd=<value<br>
optimized out>, com=0) at file.h:319<br>
#13 0xffffffff808fdd2f in sys_ioctl (td=0xfffff80221857000,<br>
uap=0xfffffe0466e1da40) at /usr/src/sys/kern/sys_generic.c:702<br>
#14 0xffffffff80c8f117 in amd64_syscall (td=0xfffff80221857000, traced=0) at<br>
subr_syscall.c:134<br>
#15 0xffffffff80c7580b in Xfast_syscall () at<br>
/usr/src/sys/amd64/amd64/exception.S:391<br>
#16 0x0000000801d8f08a in ?? ()<br>
Previous frame inner to this frame (corrupt stack?)<br>
<br>
<br>
Let me know if I can debug this any further.<br>
<br>
/Elof<br>
<br>
<br>
<br>
On Thu, 9 Oct 2014, John-Mark Gurney wrote:<br>
<br>
> <a href="mailto:elof2@sentor.se">elof2@sentor.se</a> wrote this message on Wed, \
Oct 08, 2014 at 13:30 +0200:<br> >><br>
>> I guess this is a bug report for FreeBSD 10.0.<br>
>><br>
>><br>
>><br>
>> Sometimes I can't kill my snort process on FreeBSD 10.0.<br>
>> It won't die, even with kill -9.<br>
>><br>
>> I'm not talking about a zombie process. Snort is a process that should<br>
>> die normally.<br>
>> I've run snort on over 100 nodes since FreeBSD v6.x and I've never seen<br>
>> this behavior until now in FreeBSD 10.0.<br>
>><br>
>><br>
>> Example:<br>
>><br>
>> #ps faxuw<br>
>> USER PID %CPU %MEM VSZ \
RSS TT STAT STARTED TIME<br> >> COMMAND<br>
>> root 49222 53.4 2.2 492648 183012 - \
Rs 11:46AM 7:05.59<br> >> /usr/local/bin/snort \
-q -D -c snort.conf<br> >> root 47937 0.0 2.2 \
488552 182864 - Ts 10:56AM 29:35.98<br> >> \
/usr/local/bin/snort -q -D -c snort.conf<br> ><br>
> What is the MWCHAN? add l to the ps command...<br>
><br>
>> The pid 47937 has been killed (repeatedly) with -9.<br>
>> Its status is "Ts" meaning it is Stopped.<br>
><br>
> have you tried to kill -CONT <pid> to resume it?<br>
><br>
>> But it won't actually die and disappear. The only way to get rid of it<br>
>> seem to be to reboot the machine. :-(<br>
>><br>
>> (pid 49222 is the new process that was started after 47937 was killed)<br>
>><br>
>><br>
>> The problem doesn't happen all the time and I haven't found any patterns<br>
>> as to when it does. :-(<br>
>> If I restart snort once every day, it fails to die approximately 2-4 \
times<br> >> per month.<br>
>> Even though the problem doesn't happen on every kill, it is a definately \
a<br> >> recurring event.<br>
><br>
> Can you run kgdb on the machine? (yes, it works on a live machine), use<br>
> info threads to find the thread id, and then use thread <threadid> to<br>
> switch to it, and run bt to get a back trace...<br>
><br>
>> I began to see it on a heavily loaded 10GE sensor, so I thought it could<br>
>> have something to do with the ix driver, or the heavy load.<br>
>> But now another FreeBSD 10.0-sensor had the exact same problem, and this<br>
>> sensor don't have any 10GE NICs. In fact, this sensor has been running<br>
>> just fine with both FreeBSD 9.1 and 9.3 for the past years. Snort has<br>
>> always terminated correctly! After I reinstalled this machine with \
FreeBSD<br> >> 10.0 last friday, snort has then terminated correctly every day \
until<br> >> today, when it failed with the above pid 47937. (this sensor use \
the 'em'<br> >> driver, not 'ixgbe')<br>
>><br>
>> I'm running snort with the same configuration, settings, version, daq,<br>
>> libs, etc on 10.0 as I do on 9.3.<br>
>> None of the 9.3 sensors have this problem, so it has to be something new<br>
>> in FreeBSD 10.0.<br>
><br>
> --<br>
> John-Mark Gurney \
Voice: +1 415 225 5579<br> ><br>
> "All that I will do, has been done, All that I have, has \
not."<br> ><br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Fri, 17 Oct 2014 10:21:17 +0700<br>
From: Muhammad Ridwan Zalbina <<a \
href="mailto:zalbinaridwan@gmail.com">zalbinaridwan@gmail.com</a>><br>
Subject: [Snort-devel] Snort and core rules<br>
To: "<a href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>"<br>
<<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>><br>
Message-ID: <<a href="mailto:62F37D2C-C6A5-4F47-8DA0-856B5026C483@gmail.com">62F37D2C-C6A5-4F47-8DA0-856B5026C483@gmail.com</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
hey, morning here, my name is m. ridwan zalbina and i'm a comp.eng student<br>
i want to ask something about NIDS (snort) and how to cooperate to modsecurity ?? is \
there away to do that in http inspect preprocessor ?? if so, would you tell me about \
this ?<br> <br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Wed, 22 Oct 2014 09:16:08 -0400<br>
From: Mike Cox <<a \
href="mailto:mike.cox52@gmail.com">mike.cox52@gmail.com</a>><br>
Subject: [Snort-devel] fast_pattern not always longest content string<br>
by default?<br>
To: "<a href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>"<br>
<<a \
href="mailto:snort-devel@lists.sourceforge.net">snort-devel@lists.sourceforge.net</a>><br>
Message-ID:<br>
<CANXgGSLz8UfY7L7s0CWG+eZcuR=<a \
href="mailto:861V2A1DQYGyizWgHvOggeg@mail.gmail.com">861V2A1DQYGyizWgHvOggeg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi All,<br>
<br>
I was looking thru some of my sigs with 'debug-print-fast-pattern' turned<br>
on and noticed that the fast pattern string was not always the longest<br>
content match by default. Specifically, it appears that content matches in<br>
(valid for fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri,<br>
etc.) are taking priority. For example, consider this sig:<br>
<br>
alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";<br>
flow:established,to_server; content:"<a href="http://twitter.com" \
target="_blank">twitter.com</a>"; http_header;<br> content:"hellow Twitter tweet"; \
sid:1234567;)<br> <br>
The longest content match is "hellow Twitter tweet" but when I look at the<br>
fast pattern debug output, the fast pattern used is "<a href="http://twitter.com" \
target="_blank">twitter.com</a>".<br> <br>
Having the HTTP Inspect buffers take priority makes sense because they will<br>
be smaller than the entire packet and thus more efficient. However, I do<br>
not see this behavior documented in the manual which says, "the default<br>
behavior of fast pattern determination is to use the longest content in the<br>
rule..."<br>
<br>
Can someone comment/confirm this? It is looking like I may have to<br>
review/tweak a plethora of sigs.... :(<br>
<br>
Thanks!<br>
<br>
-Mike Cox<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
<br>
------------------------------<br>
<br>
------------------------------------------------------------------------------<br>
Comprehensive Server Monitoring with Site24x7.<br>
Monitor 10 servers for $9/Month.<br>
Get alerted through email, SMS, voice calls or mobile push notifications.<br>
Take corrective actions from your mobile device.<br>
<a href="http://p.sf.net/sfu/Zoho" target="_blank">http://p.sf.net/sfu/Zoho</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Snort-devel mailing list<br>
<a href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-devel" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br> <br>
<br>
End of Snort-devel Digest, Vol 99, Issue 6<br>
******************************************<br>
</blockquote></div><br></div>
</div></blockquote><blockquote \
type="cite"><div><span>------------------------------------------------------------------------------</span><br><span>Comprehensive \
Server Monitoring with Site24x7.</span><br><span>Monitor 10 servers for \
$9/Month.</span><br><span>Get alerted through email, SMS, voice calls or mobile push \
notifications.</span><br><span>Take corrective actions from your mobile \
device.</span><br><span><a \
href="http://p.sf.net/sfu/Zoho">http://p.sf.net/sfu/Zoho</a></span></div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span>Snort-devel \
mailing list</span><br><span><a \
href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a></span><br><span><a \
href="https://lists.sourceforge.net/lists/listinfo/snort-devel">https://lists.sourcefo \
rge.net/lists/listinfo/snort-devel</a></span><br><span>Archive:</span><br><span><a \
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel">http://sour \
ceforge.net/mailarchive/forum.php?forum_name=snort-devel</a></span><br><span></span><br><span>Please \
visit <a href="http://blog.snort.org">http://blog.snort.org</a> for the latest news \
about Snort!</span></div></blockquote></body></html>
["smime.p7s" (application/pkcs7-signature)]
[Attachment #7 (--===============8745757347058019193==)]
------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic