474631 – Default alerts not triggering with default snort.conf stream5 preprocessor settings

Bug 474631 - Default alerts not triggering with default snort.conf stream5 preprocessor settings

Summary: Default alerts not triggering with default snort.conf stream5 preprocessor se...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	snort
Sub Component:
Version:	10
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Dennis Gilmore
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-04 18:16 UTC by cvcrckt
Modified:	2008-12-05 21:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-12-05 21:49:16 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description cvcrckt 2008-12-04 18:16:40 UTC

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (.NET CLR 3.5.30729)

It looks to me like stream5 on the FC10 rpm of snort is not performing TCP reassembly correctly.  I have a test case that reliably triggers /etc/snort/rules/web-client.rules sid 4135 rev 4 on my non-FC10 box, but not on my FC10 box.  Both boxes use the default snort.conf stream5 preprocessor settings, but apparently on the FC10 box, rules matching content across more than one packet do not fire.  This can be duplicated with a much simpler rule than the rule # 4135 I reference above, and it *could* be worked around by going back to the stream4 preprocessor, except that would disrupt some other default rules.

Reproducible: Always

Steps to Reproduce:
1. Make a snort test.conf with the following contents (default stream5 settings from snort.conf, then a rule to match content that will match when any JPEG is downloaded over HTTP -- the FF D8 which signifies the beginning of a JPEG is going to show up in a later packet than the "HTTP":

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes

alert tcp any 80 -> any any (msg:"possible JPEG download"; content:"HTTP"; nocase; content:"|FF D8|"; sid:123456789; rev:0;)

2. run snort -c test.conf, download some JPEGs to fire the alert, and observe that the alert does not fire.

3. replace the default stream5 settings above in your test.conf with what used to be the default stream4 settings:

preprocessor stream4
preprocessor stream4_reassemble

4. run the test again, observe that the alert is fired properly.

Actual Results:  
Alert is not fired.

Expected Results:  
Alert should be fired.

Linux localhost.localdomain 2.6.27.5-117.fc10.i686.PAE #1 SMP Tue Nov 18 12:08:10 EST 2008 i686 i686 i386 GNU/Linux

=================

Fedora release 10 (Cambridge)

=================

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.1 (Build 28)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.8 2008-09-05

Comment 1 cvcrckt 2008-12-05 21:49:16 UTC

Sorry, this was premature... I am able to duplicate this on a non-FC10 system here.  I need to take this question to the snort lists.

Ben

Note You need to log in before you can comment on or make changes to this bug.