An intrusion policy of a FireSIGHT System runs in post-ACK mode by default. This means that data in reassembled streams (such as HTTP streams) are not matched against rules until an ACK for the data is received from the server. The server has already seen an HTTP request before the system alerts on it. The rest of the session will be blocked, but the malicious GET has already been processed.
To modify this behavior, the Inline Normalization feature needs to be enabled on the intrusion policy, and the options Normalize TCP and Normalize TCP Payload need to be turned on. Please read the following document to learn more about the Post-Acknowledgement and Pre-Acknowledgement Inspection by Inline Normalization preprocessor.
In addition, if you are using a load balancer as a front end to your servers, your load balancer may be just looking at the first packet of a request and logging it based on that only. However, since Snort uses Protocol Aware Flushing (PAF), it does not alert or drop until it sees all of the packets of an HTTP request. If the load balancer is seeing only the first packet of a multi-packet request of which Snort has not dropped anything because the subsequent packets never made it to Snort, it may log the request inaccurately. Eventually, the sessions will get pruned because they have not seen data, and at that time the event will trigger because Snort will flush the rest of the stream. The event that gets generated will have the timestamp of the original data, not the time that Snort actually generated the event.
This article describes how to re-generate the licenses for
crashed/re-image FireSIGHT Management Center Virtual Appliance. If
Virtual FireSIGHT manager crashed and which has to be re-deploy using
Vmware OVF file. At this situation, license key will be cha...
This article describes the basic steps and best practices for creating
and configuring an RNA policy in 4.10. Before you can begin to generate
RNA events, or gather RNA data, you need to make sure you have done the
following: 1) The sensor must be managed...