Bug 474631

Summary: Default alerts not triggering with default snort.conf stream5 preprocessor settings
Product: [Fedora] Fedora Reporter: cvcrckt <creitz>
Component: snortAssignee: Dennis Gilmore <dennis>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 10CC: dennis, florian.laroche, smooge
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-05 21:49:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description cvcrckt 2008-12-04 18:16:40 UTC 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (.NET CLR 3.5.30729)

It looks to me like stream5 on the FC10 rpm of snort is not performing TCP reassembly correctly.  I have a test case that reliably triggers /etc/snort/rules/web-client.rules sid 4135 rev 4 on my non-FC10 box, but not on my FC10 box.  Both boxes use the default snort.conf stream5 preprocessor settings, but apparently on the FC10 box, rules matching content across more than one packet do not fire.  This can be duplicated with a much simpler rule than the rule # 4135 I reference above, and it *could* be worked around by going back to the stream4 preprocessor, except that would disrupt some other default rules.

Reproducible: Always

Steps to Reproduce:
1. Make a snort test.conf with the following contents (default stream5 settings from snort.conf, then a rule to match content that will match when any JPEG is downloaded over HTTP -- the FF D8 which signifies the beginning of a JPEG is going to show up in a later packet than the "HTTP":

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes

alert tcp any 80 -> any any (msg:"possible JPEG download"; content:"HTTP"; nocase; content:"|FF D8|"; sid:123456789; rev:0;)

2. run snort -c test.conf, download some JPEGs to fire the alert, and observe that the alert does not fire.

3. replace the default stream5 settings above in your test.conf with what used to be the default stream4 settings:

preprocessor stream4
preprocessor stream4_reassemble

4. run the test again, observe that the alert is fired properly.

Actual Results:  
Alert is not fired.

Expected Results:  
Alert should be fired.

Linux localhost.localdomain 2.6.27.5-117.fc10.i686.PAE #1 SMP Tue Nov 18 12:08:10 EST 2008 i686 i686 i386 GNU/Linux

=================

Fedora release 10 (Cambridge)

=================

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.1 (Build 28)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.8 2008-09-05
Comment 1 cvcrckt 2008-12-05 21:49:16 UTC 
Sorry, this was premature... I am able to duplicate this on a non-FC10 system here.  I need to take this question to the snort lists.

Ben