search

snort3 / snort3

Snort++
Other
2.54k stars 552 forks source link

Multiple alerts generated when detecting HTTP traffic #356

Closed BIIIANG closed 6 months ago

BIIIANG commented 6 months ago

Hello. I'm doing some research using snort. I found that when I instrumented some packets using one specific HTTP rule (with no sticky buffer), two alerts were generated. Further testing revealed that some packets can even trigger three alerts. Is this normal?

Snort Version

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.83.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.13
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 3.0.2 15 Mar 2022
           Using libpcap version 1.10.1 (with TPACKET_V3)
           Using PCRE version 8.39 2016-06-14
           Using ZLIB version 1.2.11
           Using LZMA version 5.2.5

HTTP rule (Line 1473 in the Community rules)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2086; rev:14; )

HTTP Packages

The HTTP package is sent by the following script, and before running this script, a simple HTTP server is started by python -m http.server 8080.

import socket

host = '127.0.0.1'
port = 8080

# message that can trigger 2 alerts
message = 'GET /connecttest.txt HTTP/1.1\r\nContent-Type: text/plain\r\nContent-Length: 14\r\nHost: www.msftconnecttest.com\r\n\r\n/parse_xml.cgi'

# message that can trigger 3 alerts
# message = 'GET /connecttest.txt HTTP/1.1\r\nContent-Type: text/plain\r\nContent-Length: 14\r\nHost: www.msftconnecttest.com\r\n\r\n/parse_xml.cgi/parse_xml.cgi'

# message that can trigger 2 alerts
# message = 'GET /connecttest.txt HTTP/1.1\r\nContent-Type: text/plain\r\nContent-Length: 28\r\nHost: www.msftconnecttest.com\r\n\r\n/parse_xml.cgi/parse_xml.cgi'

# message that can trigger only 1 alert
#message = 'GET /parse_xml.cgi HTTP/1.1\r\nContent-Type: text/plain\r\nContent-Length: 0\r\nHost: www.msftconnecttest.com\r\n\r\n'

client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((host, port))
client_socket.send(message.encode())
client_socket.close()

Trace message of snort

$ sudo snort -c /usr/local/etc/snort/snort.lua -i lo -R /path/to/rule/file -A alert_full -k none --lua 'trace = {constraints = {dst_port = 8080}, modul
es = {all = 255}, ntuple = true}'
--------------------------------------------------
o")~   Snort++ 3.1.83.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
        ssh
        host_cache
        pop
        so_proxy
        stream_tcp
        mms
        smtp
        gtp_inspect
        packets
        dce_http_proxy
        ips
        stream_icmp
        hosts
        normalizer
        binder
        wizard
        appid
        js_norm
        file_id
        http2_inspect
        http_inspect
        stream_udp
        ftp_data
        ftp_server
        search_engine
        port_scan
        dce_http_server
        dce_tcp
        dce_smb
        iec104
        cip
        telnet
        ssl
        sip
        rpc_decode
        netflow
        modbus
        host_tracker
        stream_user
        stream_ip
        trace
        back_orifice
        classifications
        dnp3
        active
        process
        ftp_client
        daq
        decode
        alerts
        stream
        references
        arp_spoof
        output
        network
        dns
        dce_udp
        imap
        file_policy
        s7commplus
        stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading rule args:
Loading /path/to/rule/file:
Finished /path/to/rule/file:
Finished rule args:
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0     209       0     209    /usr/local/etc/snort/snort.lua
--------------------------------------------------
rule counts
       total rules loaded: 209
               text rules: 209
            option chains: 209
            chain headers: 2
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     dst       1       0       0       0
   total       1       0       0       0
--------------------------------------------------
service rule counts          to-srv  to-cli
                  file_id:      208     208
                     http:        1       0
                    http2:        1       0
                    http3:        1       0
                    total:      211     208
--------------------------------------------------
fast pattern groups
                      dst: 2
                to_server: 7
                to_client: 1
--------------------------------------------------
search engine (ac_bnfa)
                instances: 9
                 patterns: 423
            pattern chars: 2613
               num states: 1883
         num match states: 377
             memory scale: KB
             total memory: 79.0469
           pattern memory: 19.0664
        match list memory: 28.3672
        transition memory: 30.4883
        fast pattern only: 7
appid: MaxRss diff: 3024
appid: patterns loaded: 300
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] lo
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: start inspection, raw, packet 112, context 112
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter stream
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit stream, elapsed time: 13 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter normalizer
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit normalizer, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter arp_spoof
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit arp_spoof, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter back_orifice
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit back_orifice, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter appid
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 appid:all:7: New AppId session
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 appid:all:7: Published event for changes: created
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit appid, elapsed time: 24 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: stop inspection, raw, packet 112, context 112, total time: 85 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: post detection inspection, raw, packet 112, context 112
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter port_scan
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit port_scan, elapsed time: 2 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: end inspection, raw, packet 112, context 112, total time: 28 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: start inspection, raw, packet 113, context 113
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter stream
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit stream, elapsed time: 1 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter normalizer
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit normalizer, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter arp_spoof
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit arp_spoof, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter back_orifice
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit back_orifice, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter appid
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit appid, elapsed time: 1 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: stop inspection, raw, packet 113, context 113, total time: 68 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: post detection inspection, raw, packet 113, context 113
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter port_scan
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit port_scan, elapsed time: 1 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: end inspection, raw, packet 113, context 113, total time: 39 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: start inspection, raw, packet 114, context 114
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter stream
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit stream, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter normalizer
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit normalizer, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter arp_spoof
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit arp_spoof, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter back_orifice
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit back_orifice, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter appid
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit appid, elapsed time: 1 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: stop inspection, raw, packet 114, context 114, total time: 108 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: post detection inspection, raw, packet 114, context 114
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter port_scan
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit port_scan, elapsed time: 1 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: end inspection, raw, packet 114, context 114, total time: 11 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: start inspection, raw, packet 115, context 115
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter stream
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit stream, elapsed time: 1 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter normalizer
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit normalizer, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter arp_spoof
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit arp_spoof, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter back_orifice
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit back_orifice, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter appid
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit appid, elapsed time: 11 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: stop inspection, raw, packet 115, context 115, total time: 80 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: post detection inspection, raw, packet 115, context 115
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter port_scan
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit port_scan, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: end inspection, raw, packet 115, context 115, total time: 7 usec
[**] [1:2086:14] "SERVER-WEBAPP streaming server parse_xml.cgi access" [**]
[Classification: Access to a potentially vulnerable web application] [Priority: 2] 
03/27-09:20:11.803708 127.0.0.1:35774 -> 127.0.0.1:8080
TCP TTL:64 TOS:0x0 ID:23541 IpLen:20 DgmLen:176 DF
***AP*** Seq: 0xC515B21D  Ack: 0x65CE1BAE  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1811012056 1811012056

P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: start inspection, raw, packet 116, context 116
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter stream
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit stream, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter normalizer
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit normalizer, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 wizard:all:1: c2s streaming search found service http
P0:snort:inspector_manager:1: start inspection, rebuilt, packet 116, context 117
P0:snort:inspector_manager:1: enter http_inspect
P0:snort:inspector_manager:1: exit http_inspect, elapsed time: 5
P0:snort:inspector_manager:1: enter appid
P0:snort:inspector_manager:1: exit appid, elapsed time: 0 usec
P0:snort:inspector_manager:1: stop inspection, rebuilt, packet 116, context 117, total time: 49 usec
P0:snort:inspector_manager:1: post detection inspection, rebuilt, packet 116, context 117
P0:snort:inspector_manager:1: enter port_scan
P0:snort:inspector_manager:1: exit port_scan, elapsed time: 0 usec
P0:snort:inspector_manager:1: end inspection, rebuilt, packet 116, context 117, total time: 3 usec
P0:snort:inspector_manager:1: start inspection, rebuilt, packet 116, context 118
P0:snort:inspector_manager:1: enter http_inspect
P0:appid:all:7: Processing HTTP metadata from HTTP Inspector for stream -1
P0:appid:all:7: HTTP host is www.msftconnecttest.com
P0:appid:all:7: HTTP URI is /connecttest.txt
P0:appid:all:7: Payload is Unknown (-1)
P0:appid:all:7: Published event for changes: service, payload, host, url
P0:snort:inspector_manager:1: exit http_inspect, elapsed time: 81
P0:snort:inspector_manager:1: enter appid
P0:snort:inspector_manager:1: exit appid, elapsed time: 0 usec
P0:snort:inspector_manager:1: stop inspection, rebuilt, packet 116, context 118, total time: 106 usec
P0:snort:inspector_manager:1: post detection inspection, rebuilt, packet 116, context 118
P0:snort:inspector_manager:1: enter port_scan
P0:snort:inspector_manager:1: exit port_scan, elapsed time: 0 usec
P0:snort:inspector_manager:1: end inspection, rebuilt, packet 116, context 118, total time: 4 usec
P0:snort:inspector_manager:1: start inspection, rebuilt, packet 116, context 119
P0:snort:inspector_manager:1: enter http_inspect
P0:file_id:all:7: get_file_context:trying to get context from cache
P0:file_id:all:7: get_file_context:creating new context
P0:file_id:all:7: calling context process data_size 14, offset 0, position 4
P0:file_id:all:7: Updating file size of file_id 0 at position 4 with processed_bytes 14
P0:file_id:all:6: File: Type unknown
P0:appid:all:7: HTTP request body is /parse_xml.cgi
P0:snort:inspector_manager:1: exit http_inspect, elapsed time: 60
P0:snort:inspector_manager:1: enter appid
P0:snort:inspector_manager:1: exit appid, elapsed time: 0 usec
P0:snort:inspector_manager:1: stop inspection, rebuilt, packet 116, context 119, total time: 72 usec
P0:snort:inspector_manager:1: post detection inspection, rebuilt, packet 116, context 119
P0:snort:inspector_manager:1: enter port_scan
P0:snort:inspector_manager:1: exit port_scan, elapsed time: 0 usec
P0:snort:inspector_manager:1: end inspection, rebuilt, packet 116, context 119, total time: 4 usec
[**] [1:2086:14] "SERVER-WEBAPP streaming server parse_xml.cgi access" [**]
03/27-09:20:11.803708 
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter appid
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit appid, elapsed time: 1 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: stop inspection, raw, packet 116, context 116, total time: 468 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: post detection inspection, raw, packet 116, context 116
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter port_scan
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit port_scan, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: end inspection, raw, packet 116, context 116, total time: 42 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: start inspection, raw, packet 117, context 121
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter stream
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit stream, elapsed time: 1 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter normalizer
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit normalizer, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter appid
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit appid, elapsed time: 1 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: stop inspection, raw, packet 117, context 121, total time: 84 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: post detection inspection, raw, packet 117, context 121
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter port_scan
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit port_scan, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: end inspection, raw, packet 117, context 121, total time: 42 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: start inspection, raw, packet 118, context 122
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter stream
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit stream, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter normalizer
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit normalizer, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter appid
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit appid, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: stop inspection, raw, packet 118, context 122, total time: 45 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: post detection inspection, raw, packet 118, context 122
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: enter port_scan
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: exit port_scan, elapsed time: 0 usec
P0:127.0.0.1 8080 -> 127.0.0.1 35774 6 AS=0 snort:inspector_manager:1: end inspection, raw, packet 118, context 122, total time: 23 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: start inspection, raw, packet 119, context 123
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter stream
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit stream, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter normalizer
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit normalizer, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter appid
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit appid, elapsed time: 0 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: stop inspection, raw, packet 119, context 123, total time: 15 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: post detection inspection, raw, packet 119, context 123
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: enter port_scan
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: exit port_scan, elapsed time: 1 usec
P0:127.0.0.1 35774 -> 127.0.0.1 8080 6 AS=0 snort:inspector_manager:1: end inspection, raw, packet 119, context 123, total time: 25 usec
^C** caught int signal
== stopping
-- [0] lo
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                 received: 528
                 analyzed: 262
              outstanding: 266
          outstanding_max: 266
                    allow: 262
                     idle: 108
                 rx_bytes: 61969
--------------------------------------------------
codec
                    total: 262          (100.000%)
                 discards: 5            (  1.908%)
                      eth: 262          (100.000%)
                     ipv4: 262          (100.000%)
                      tcp: 257          ( 98.092%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
                  packets: 257
        processed_packets: 257
           total_sessions: 5
       service_cache_adds: 1
             bytes_in_use: 152
             items_in_use: 1
--------------------------------------------------
binder
              raw_packets: 5
                new_flows: 5
          service_changes: 1
                 inspects: 10
--------------------------------------------------
detection
                 analyzed: 262
             raw_searches: 1
          cooked_searches: 2
             pkt_searches: 3
            file_searches: 1
                   alerts: 2
             total_alerts: 2
                   logged: 2
--------------------------------------------------
file_id
              total_files: 1
          total_file_data: 14
     max_concurrent_files: 1
--------------------------------------------------
http_inspect
                    flows: 1
                    scans: 3
              reassembles: 3
              inspections: 3
                 requests: 1
             get_requests: 1
           request_bodies: 1
  max_concurrent_sessions: 1
              total_bytes: 118
--------------------------------------------------
normalizer
          test_tcp_ts_nop: 9
--------------------------------------------------
port_scan
                  packets: 257
                 trackers: 2
--------------------------------------------------
search_engine
               max_queued: 2
            total_flushed: 3
            total_inserts: 3
             total_unique: 3
     non_qualified_events: 1
         qualified_events: 2
           searched_bytes: 166
--------------------------------------------------
stream
                    flows: 5
--------------------------------------------------
stream_tcp
                 sessions: 5
                      max: 5
                  created: 5
                 released: 5
             instantiated: 5
                   setups: 5
                 restarts: 1
             syn_trackers: 1
            data_trackers: 4
              segs_queued: 162
            segs_released: 162
                segs_used: 160
          rebuilt_packets: 12
          rebuilt_buffers: 1
            rebuilt_bytes: 26715
                     gaps: 1
          client_cleanups: 4
          server_cleanups: 4
                     syns: 1
                 syn_acks: 1
                   resets: 1
                     fins: 1
        partial_fallbacks: 3
                 max_segs: 56
                max_bytes: 10209
--------------------------------------------------
wizard
                tcp_scans: 111
                 tcp_hits: 1
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
              Application: Services   Clients    Users      Payloads   Misc       Referred  
                  unknown: 5          0          0          1          0          0         
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
                  signals: 1
--------------------------------------------------
timing
                  runtime: 00:00:08
                  seconds: 8.872588
                 pkts/sec: 30
o")~   Snort exiting

The 2 alerts:

[**] [1:2086:14] "SERVER-WEBAPP streaming server parse_xml.cgi access" [**]
[Classification: Access to a potentially vulnerable web application] [Priority: 2] 
03/27-09:20:11.803708 127.0.0.1:35774 -> 127.0.0.1:8080
TCP TTL:64 TOS:0x0 ID:23541 IpLen:20 DgmLen:176 DF
***AP*** Seq: 0xC515B21D  Ack: 0x65CE1BAE  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1811012056 1811012056

[**] [1:2086:14] "SERVER-WEBAPP streaming server parse_xml.cgi access" [**]
03/27-09:20:11.803708

Rule with sticky buffer

When I test using rules with sticky buffer (like the following one), the number of alerts generated does not exceed 1.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP parse_xml.cgi access"; flow:to_server,established; http_uri; content:"/parse_xml.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2085; rev:17; )

I want to know if this situation is normal when detecting HTTP packets. Thanks.

InverseRE commented 6 months ago

Hi,

First of all, thanks for using traces. From the logs I see that search_engine.detect_raw_tcp is enabled.

Normally, Snort3 evaluates IPS rules against rebuilt packets only (PDU, whatever makes sense for the inspected protocol). The detect_raw_tcp option forces rule evaluation for raw packets (the one you can see on the wire).

Thus, you see two alerts (the 1st one from the raw packet, and the 2nd alert from the rebuilt packet). Check the final statistics: detection analyzed: 262 raw_searches: 1 -- wire packet cooked_searches: 2 -- PDU

InverseRE commented 6 months ago

You can find more user questions/answers at snort-users@lists.snort.org (Snort-users mailing list): https://lists.snort.org/mailman/listinfo/

Github is mainly for issues found in the source code.