[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Snort-inline

Federico Petronio wrote:

I have snort-inline 2.0.1 installed. I change the rule 2077 acction to drop.

Then I try to access, using Mozilla 1.5 and IE6.0, the URL:

the snort-inline log start showing lines like this:

[**] [1:2077:2] WEB-PHP Mambo upload.php access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
01/13-18:31:06.944124 -> TCP TTL:117 TOS:0x0 ID:3095 IpLen:20 DgmLen:578 DF
***AP*** Seq: 0x45A19C2C Ack: 0x425899A4 Win: 0xFFFF TcpLen: 20
[Xref => http://www.securityfocus.com/bid/6572]

but after 5 minutes of that, the webserver finally got the query and answed. That means that snort-inline let pass through the packet that should drop. Can anyone check that? I try several time and got the same result.

I reported this some time ago, and was not just about rule 2077 failing, but about all rules having the same problem. I search a little more and sent a couple of mails to the snort-inline list and finally found (thanks to Pieter Claassen) that the problem was that I set stream4 preprocessor in the config file but that preprocessor is currently not supported by snort-inline.

When I commented the lines about stream4 the problem disappeared.

                                        Federico Petronio