Bug 474631 - Default alerts not triggering with default snort.conf stream5 preprocessor settings
Default alerts not triggering with default snort.conf stream5 preprocessor se...
Product: Fedora
Classification: Fedora
Component: snort (Show other bugs)
i686 Linux
low Severity high
: ---
: ---
Assigned To: Dennis Gilmore
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-12-04 13:16 EST by cvcrckt
Modified: 2008-12-05 16:49 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-12-05 16:49:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description cvcrckt 2008-12-04 13:16:40 EST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008102920 Firefox/3.0.4 (.NET CLR 3.5.30729)

It looks to me like stream5 on the FC10 rpm of snort is not performing TCP reassembly correctly.  I have a test case that reliably triggers /etc/snort/rules/web-client.rules sid 4135 rev 4 on my non-FC10 box, but not on my FC10 box.  Both boxes use the default snort.conf stream5 preprocessor settings, but apparently on the FC10 box, rules matching content across more than one packet do not fire.  This can be duplicated with a much simpler rule than the rule # 4135 I reference above, and it *could* be worked around by going back to the stream4 preprocessor, except that would disrupt some other default rules.

Reproducible: Always

Steps to Reproduce:
1. Make a snort test.conf with the following contents (default stream5 settings from snort.conf, then a rule to match content that will match when any JPEG is downloaded over HTTP -- the FF D8 which signifies the beginning of a JPEG is going to show up in a later packet than the "HTTP":

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes

alert tcp any 80 -> any any (msg:"possible JPEG download"; content:"HTTP"; nocase; content:"|FF D8|"; sid:123456789; rev:0;)

2. run snort -c test.conf, download some JPEGs to fire the alert, and observe that the alert does not fire.

3. replace the default stream5 settings above in your test.conf with what used to be the default stream4 settings:

preprocessor stream4
preprocessor stream4_reassemble

4. run the test again, observe that the alert is fired properly.

Actual Results:  
Alert is not fired.

Expected Results:  
Alert should be fired.

Linux localhost.localdomain #1 SMP Tue Nov 18 12:08:10 EST 2008 i686 i686 i386 GNU/Linux


Fedora release 10 (Cambridge)


   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.1 (Build 28)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.8 2008-09-05
Comment 1 cvcrckt 2008-12-05 16:49:16 EST
Sorry, this was premature... I am able to duplicate this on a non-FC10 system here.  I need to take this question to the snort lists.


Note You need to log in before you can comment on or make changes to this bug.