Snort mailing list archives
Re: Alerts of "(http\_inspect) NON-RFC DEFINED CHAR"]
From: "Daniel J. Roelker" <droelker () sourcefire com>
Date: 01 Mar 2004 12:55:36 -0500
Hi Kris, Thanks for pointing out some of the things you've been seeing. Here's what's happening and hopefully this will answer many people's questions: <for all users> 1) Issues with getting alerts while doing ordinary web browsing. The majority of issues here have to do with refining the http_inspect profiles. We've done more profile tweaking in Snort 2.1.1 and this should help a lot of the false positives that user's have been reporting. We want user feedback so we can continue to tweak the profiles, but we need this feedback on recent versions (2.1.1 right now). People are still reporting known issues with 2.1.0, and this doesn't really help because we already know about it and have fixed it based on user's feedback. So download 2.1.1 and give us feedback on that. </for all users> 2) Your particular issue . . . :) What you're reporting is how we do HTTP inspection and URL discovery. http_inspect works by inspecting both packets and rebuilt streams. Because we inspect packets, we can't assume anything about the protocol and in order to not be evaded we inspect each packet for anything that could be a URL, and also look for any HTTP pipeline requests. Since we do things this way, what looks like a URL to http_inspect, may in fact not be, since we have to inspect packets in a stateless manner. This can cause false positives, like you saw in your examples. If you look at the packets, you'll see that there is indeed a TAB in the first packet (or rebuilt packet) that indicates a start of the URL, followed by a newline. This indicates that the data in between may be a URL, and so we inspect it to make sure we're not evaded. The second packet alert means that there was no \r\n delimiter and just a \n. Which is very likely because of the javascript. So again this is a case of a misidentified URL. We can't change the way we do stateless inspection because then it is possible to evade the IDS. The chance of false positives doesn't go away until we only analyze TCP application streams in a streaming sense. This is something we're actively working on, so there is hope ;) In answer to your question, there is no buffer mangling occurring, just stateless inspection. My advice is that if these two alerts are causing you problems, then I would configure http_inspect to not alert on these things. There are a lot of other user's that don't have problems with these alerts, but since everyone's network is different, you have to tune appropriately. Thanks for the feedback, and feel free to email me with any other questions/comments you might have about http_inspect. Dan On Mon, 2004-03-01 at 10:47, Jeremy Hewlett wrote:
From: Kristofer T. Karas <ktk () enterprise bidmc harvard edu>
To: Jeremy Hewlett <jh () sourcefire com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Alerts of "(http\_inspect) NON-RFC DEFINED CHAR"
Date: 27 Feb 2004 15:29:47 -0500
I've noticed some other odd behavior with the http_inspect preprocessor
that might explain the huge onslaught of complaints from it against
ordinary web browsing. It seems as though it is looking not at the
start of the data buffers for a given HTTP transaction, but rather
somewhere in the middle of a random assemblage of packets (in
particular, in the payload and not the data).
For example, here's the unabridged payload that triggered an
APACHE_WHITESPACE_TAB alert:
04 55 50 47 50 03 30 2E 35 00 06 00 0B 00 88 05 .UPGP.0.5.......
57 69 6E 33 32 0E 57 69 6E 4E 54 20 35 2E 30 2E Win32.WinNT 5.0.
32 31 39 35 00 00 04 09 00 A0 00 28 66 33 30 35 2195.......(f305
62 61 37 36 32 62 36 37 64 61 33 64 66 66 36 31 ba762b67da3dff61
31 33 36 35 61 66 63 65 30 61 33 32 32 66 32 62 1365afce0a322f2b
33 66 63 65 62 38 32 63 33 62 37 61 65 62 39 34 3fceb82c3b7aeb94
63 38 66 34 35 38 39 62 61 31 61 33 35 62 36 39 c8f4589ba1a35b69
30 33 64 63 32 61 63 65 61 30 63 30 39 62 30 38 03dc2acea0c09b08
32 38 61 63 31 39 65 38 65 36 35 61 30 7C 37 57 28ac19e8e65a0|7W
32 46 36 00 00 00 48 00 0F 00 0E 02 55 53 0A 30 2F6...H.....US.0
32 37 36 32 2D 32 32 36 31 00 68 00 0D 0A 37 2E 2762-2261.h..7.
30 2E 30 2E 31 34 35 32 00 02 00 0D 00 1C 0B 52 0.0.1452......R
65 61 6C 4A 75 6B 65 62 6F 78 09 31 2E 30 2E 33 ealJukebox.1.0.3
2E 36 33 36 00 00 00 00 00 00 00 0D 00 2E 0A 52 .636..........R
65 61 6C 50 6C 61 79 65 72 0A 36 2E 30 2E 31 31 ealPlayer.6.0.11
2E 38 37 32 04 46 52 45 45 02 65 6E 00 06 52 4E .872.FREE.en..RN
31 30 50 44 06 52 4E 39 47 50 44 00 00 02 04 EA 10PD.RN9GPD.....
00 46 05 61 74 68 64 62 0A 37 2E 30 2E 30 2E 31 .F.athdb.7.0.0.1
33 36 34 06 55 70 64 61 74 65 0A 37 2E 30 2E 30 364.Update.7.0.0
2E 32 33 31 31 08 55 70 64 61 74 65 55 49 0A 37 .2311.UpdateUI.7
2E 30 2E 30 2E 32 33 31 31 03 61 74 68 0A 37 2E .0.0.2311.ath.7.
30 2E 30 2E 31 33 36 34 07 52 4E 41 64 6D 69 6E 0.0.1364.RNAdmin
0A 30 2E 31 2E 30 2E 31 36 32 32 03 4D 53 47 0A .0.1.0.1622.MSG.
37 2E 30 2E 30 2E 31 34 35 32 07 72 66 78 69 6E 7.0.0.1452.rfxin
73 74 0A 37 2E 30 2E 30 2E 32 33 31 31 11 50 6C st.7.0.0.2311.Pl
61 79 65 72 55 6E 69 6E 73 74 42 65 67 69 6E 09 ayerUninstBegin.
36 2E 30 2E 39 2E 34 33 36 07 52 4D 41 43 6F 72 6.0.9.436.RMACor
65 0A 36 2E 30 2E 39 2E 32 30 30 36 05 50 4E 43 e.6.0.9.2006.PNC
52 54 07 36 2E 30 2E 30 2E 30 04 76 73 72 63 0A RT.6.0.0.0.vsrc.
36 2E 30 2E 37 2E 33 32 38 30 06 50 6C 61 79 65 6.0.7.3280.Playe
72 0A 36 2E 30 2E 31 31 2E 38 37 32 05 53 6B 69 r.6.0.11.872.Ski
6E 73 0A 36 2E 30 2E 31 31 2E 38 37 32 04 46 72 ns.6.0.11.872.Fr
65 65 0A 36 2E 30 2E 31 31 2E 38 37 32 02 52 41 ee.6.0.11.872.RA
0A 36 2E 30 2E 39 2E 31 35 37 30 02 52 56 0A 36 .6.0.9.1570.RV.6
2E 30 2E 39 2E 31 36 34 38 05 46 6C 61 73 68 0A .0.9.1648.Flash.
36 2E 30 2E 38 2E 33 35 35 37 05 45 6D 62 65 64 6.0.8.3557.Embed
0A 36 2E 30 2E 38 2E 32 33 36 33 07 52 65 61 6C .6.0.8.2363.Real
54 78 74 0A 36 2E 30 2E 37 2E 33 36 34 36 04 69 Txt.6.0.7.3646.i
6D 67 70 0A 36 2E 30 2E 37 2E 33 39 31 36 03 50 mgp.6.0.7.3916.P
4E 47 0A 36 2E 30 2E 37 2E 33 36 30 33 02 47 46 NG.6.0.7.3603.GF
0A 36 2E 30 2E 37 2E 33 37 37 38 04 52 50 69 78 .6.0.7.3778.RPix
0A 36 2E 30 2E 37 2E 33 37 35 39 04 47 46 4A 50 .6.0.7.3759.GFJP
0A 36 2E 30 2E 37 2E 33 37 37 38 05 53 65 74 75 .6.0.7.3778.Setu
70 0A 37 2E 30 2E 30 2E 32 33 31 31 03 73 64 70 p.7.0.0.2311.sdp
0A 36 2E 30 2E 37 2E 33 37 37 39 06 61 75 73 74 .6.0.7.3779.aust
72 6D 0A 36 2E 30 2E 39 2E 31 33 39 38 07 72 70 rm.6.0.9.1398.rp
68 6F 77 74 6F 09 36 2E 30 2E 39 2E 36 32 31 04 howto.6.0.9.621.
4D 50 47 41 0A 36 2E 30 2E 39 2E 32 38 39 39 05 MPGA.6.0.9.2899.
4D 50 33 50 4C 0A 36 2E 30 2E 39 2E 32 34 31 30 MP3PL.6.0.9.2410
06 72 6A 62 76 69 7A 0A 31 2E 30 2E 32 2E 32 33 .rjbviz.1.0.2.23
36 32 07 73 74 75 62 64 72 6D 0A 36 2E 30 2E 38 62.stubdrm.6.0.8
2E 33 38 36 38 06 47 45 4D 49 4E 49 0A 30 2E 31 .3868.GEMINI.0.1
2E 30 2E 31 37 36 30 05 47 45 4D 45 58 0A 30 2E .0.1760.GEMEX.0.
31 2E 30 2E 31 37 36 30 09 47 45 4D 58 4D 4C 42 1.0.1760.GEMXMLB
49 4E 0A 30 2E 31 2E 30 2E 31 37 36 30 08 72 6A IN.0.1.0.1760.rj
6D 70 33 70 6C 6E 0A 31 2E 30 2E 32 2E 31 31 33 mp3pln.1.0.2.113
35 08 72 6A 72 6D 6A 70 6C 6E 0A 31 2E 30 2E 32 5.rjrmjpln.1.0.2
2E 31 31 33 35 06 77 6D 70 6C 79 72 08 36 2E 30 .1135.wmplyr.6.0
2E 38 2E 34 33 07 74 6F 6F 6C 62 61 72 08 31 2E .8.43.toolbar.1.
31 2E 31 2E 32 35 07 4D 49 4E 48 45 4C 50 0A 36 1.1.25.MINHELP.6
2E 30 2E 31 31 2E 38 37 32 05 48 4F 57 54 4F 0A .0.11.872.HOWTO.
36 2E 30 2E 31 31 2E 38 37 32 04 61 75 64 70 0A 6.0.11.872.audp.
36 2E 30 2E 37 2E 34 30 36 39 04 76 69 64 70 0A 6.0.7.4069.vidp.
36 2E 30 2E 39 2E 31 35 35 34 04 56 4D 50 47 0A 6.0.9.1554.VMPG.
36 2E 30 2E 39 2E 32 36 30 35 06 72 6A 70 6C 75 6.0.9.2605.rjplu
73 09 31 2E 30 2E 33 2E 39 37 32 07 72 6A 65 70 s.1.0.3.972.rjep
6C 75 67 09 31 2E 30 2E 32 2E 36 33 36 06 72 6A lug.1.0.2.636.rj
70 6C 61 79 0A 31 2E 30 2E 32 2E 31 32 33 36 05 play.1.0.2.1236.
72 6A 73 65 63 0A 31 2E 30 2E 32 2E 31 31 33 35 rjsec.1.0.2.1135
07 72 6A 63 64 65 78 74 0A 31 2E 30 2E 32 2E 31 .rjcdext.1.0.2.1
31 33 36 07 72 6A 63 64 69 6E 66 0A 31 2E 30 2E 136.rjcdinf.1.0.
32 2E 31 31 33 39 06 72 6A 70 73 65 74 0A 37 2E 2.1139.rjpset.7.
30 2E 30 2E 32 33 31 31 06 72 6A 66 69 6C 65 0A 0.0.2311.rjfile.
31 2E 30 2E 32 2E 31 31 33 36 06 72 6A 64 6F 77 1.0.2.1136.rjdow
6E 0A 31 2E 30 2E 32 2E 31 31 33 36 07 72 6A 63 n.1.0.2.1136.rjc
64 72 6F 6D 09 31 2E 30 2E 32 2E 33 30 39 06 72 drom.1.0.2.309.r
6A 69 6E 73 64 09 31 2E 30 2E 33 2E 39 37 32 07 jinsd.1.0.3.972.
72 6A 70 64 6D 67 72 0A 31 2E 30 2E 32 2E 31 32 rjpdmgr.1.0.2.12
33 36 06 72 6A 6A 61 76 61 0A 31 2E 30 2E 32 2E 36.rjjava.1.0.2.
31 31 33 36 08 72 6A 72 6D 78 70 6C 6E 0A 31 2E 1136.rjrmxpln.1.
30 2E 32 2E 31 31 33 35 06 72 6A 62 72 65 73 0A 0.2.1135.rjbres.
31 2E 30 2E 32 2E 31 31 34 38 07 72 6A 6D 70 6D 1.0.2.1148.rjmpm
65 64 09 31 2E 30 2E 33 2E 38 35 31 05 72 6A 64 ed.1.0.3.851.rjd
6C 67 09 31 2E 30 2E 33 2E 39 34 35 07 72 6A 6D lg.1.0.3.945.rjm
70 7A 69 70 09 31 2E 30 2E 33 2E 38 33 36 0C 70 pzip.1.0.3.836.p
64 62 75 72 6E 70 6C 75 67 69 6E 09 31 2E 30 2E dburnplugin.1.0.
30 2E 31 39 34 0C 70 64 62 75 72 6E 65 6E 67 69 0.194.pdburnengi
6E 65 09 31 2E 30 2E 30 2E 31 39 34 0D 70 64 62 ne.1.0.0.194pdb
75 72 6E 73 75 70 70 6F 72 74 09 31 2E 30 2E 30 urnsupport.1.0.0
2E 31 39 34 08 66 66 74 72 61 6E 73 63 09 31 2E .194.fftransc.1.
30 2E 30 2E 31 36 32 08 64 74 64 72 70 6C 69 6E 0.0.162.dtdrplin
09 36 2E 30 .6.0
Note that this is not anywhere near the header of an HTTP GET or POST
request.
Another common idiom I'll see with the payload is to have a "GET ...
HTTP/1.1" request right in the middle of some other payload. For
example, here's the start of the payload for a "NOT RFC HTTP DELIMETER"
alert, pretty printed. Note the "GET /images/dot_clear.gif" right smack
in the middle of some javascript HREF from a previous GET request:
Fonseca</a> </td>
<td>RE: manera </td>
<td>Feb 26</td>
<td align=right>1KB</td></tr>
<tr name="xxxxxx () xxxxxxxxx com">
<td>
</td>
<td><img src="http://65.54.172.24/i.F42AB.gif"; class="KK" alt='Read'></td>
<td></td>
<td><input type="checkbox" name="MSG1077904931.15" onClick="CCA(this)"></td>
<td></td>
<td><a href="javascript:G('/cgi-bin/getmsg?msg=MSG1077904931.15&sGET /images/dot_clear.gif HTTP/1.1
Host: www.molecularcloning.com
Accept: image/gif, image/jpeg, image/x-png, image/png, image/xbm, image/xbitmap, image/x-xbitmap, */*
Accept-Language: en
Connection: Keep-Alive
Referer: http://www.molecularcloning.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)
I think this packet buffer mangling may be what's responsible for all
the alerts...
Kris
![http://65.54.172.24/i.F42AB.gif"](http://65.54.172.24/i.F42AB.gif"){kind=link}
-- Daniel Roelker Software Developer Sourcefire, Inc. ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Alerts of "(http\_inspect) NON-RFC DEFINED CHAR"] Daniel J. Roelker (Mar 02)