<font size=2 face="sans-serif">I have a question about application layer
traffic identification and rule matches based on it, specifically http.
I have this rule from emerging-policy.rules:</font>
<br>
<br><font size=2 face="sans-serif">alert http $EXTERNAL_NET any -> $HOME_NET
any (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected
unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a
20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32;
threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402;
classtype:policy-violation; sid:2006402; rev:10;)</font>
<br>
<br><font size=2 face="sans-serif">And I have this traffic:</font>
<br>
<br><font size=2 face="sans-serif">13:42:09.149477 IP e.x.t.n.51978 >
h.o.m.e.80: S 3741764774:3741764774(0) win 8192 <mss 1460,nop,wscale
2,nop,nop,sackOK></font>
<br><font size=2 face="sans-serif">E .4.3@.1..Xb..9...^M.</font>
<br><font size=2 face="sans-serif">.P.......... .................</font>
<br><font size=2 face="sans-serif">13:42:09.149796 IP h.o.m.e.80 > e.x.t.n.51978:
S 2299323222:2299323222(0) ack 3741764775 win 32768 <mss 1460></font>
<br><font size=2 face="sans-serif">E .,...........^Mb..9.P.</font>
<br><font size=2 face="sans-serif">...V....`.............</font>
<br><font size=2 face="sans-serif">13:42:09.211776 IP e.x.t.n.51978 >
h.o.m.e.80: . ack 1 win 17520</font>
<br><font size=2 face="sans-serif">E .(.;@.1..\b..9...^M.</font>
<br><font size=2 face="sans-serif">.P.......WP.DpL.........</font>
<br><font size=2 face="sans-serif">13:42:09.216761 IP e.x.t.n.51978 >
h.o.m.e.80: P 1:196(195) ack 1 win 17520</font>
<br><font size=2 face="sans-serif">E ...<@.1.</font>
<br><font size=2 face="sans-serif">.b..9...^M.</font>
<br><font size=2 face="sans-serif">.P.......WP.Dp....GET / HTTP/1.1</font>
<br><font size=2 face="sans-serif">Accept: </font>
<br><font size=2 face="sans-serif">Cache-Control: no-cache</font>
<br><font size=2 face="sans-serif">Authorization: Basic Og==</font>
<br><font size=2 face="sans-serif">User-Agent: Mozilla/5.0 (Windows NT
5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1</font>
<br><font size=2 face="sans-serif">Host: </font><a href=www.mydomain.com><font size=2 face="sans-serif">www.mydomain.com</font></a>
<br><font size=2 face="sans-serif">Connection: Close</font>
<br><font size=2 face="sans-serif">Pragma: no-cache</font>
<br>
<br>
<br><font size=2 face="sans-serif">Yet the rule does not alert as it should.
The packet that should set off the alert is the first one after the
TCP three way handshake. At this point does the engine not have enough
data to classify this stream as http and thus the rule is not firing? I
sincerely hope that is not the case....</font>
<br>
<br><font size=2 face="sans-serif">I have double checked my variables and
this should fire; the snort version (alert tcp) does fire as expected in
snort.</font>
<br>
<br><font size=2 face="sans-serif">Thank you.</font>
<br>
<br><font size=2 face="sans-serif">-David</font>