Snort mailing list archives
Re: HTTP preprocessor and POST data
From: Xavi Garcia <xavi.garcia () gmail com>
Date: Fri, 26 Mar 2010 18:26:58 +0100
Hi, I am using the following rule to test a local file inclusion. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local file inclusion POST"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/index.php"; nocase; content:"include=.."; nocase; classtype:web-application-attack; sid:20000000; rev:1;) that catches the following attack: curl -d "include=../../../../../../../../../../../../../../../../../../../../../etc/passwd%00" "http://192.168.178.29/index.php" But fails when I encode the data in Hex. curl -d "include=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd%00" "http://192.168.178.29/index.php" I have checked the Changelog and the POST data should be normalized, but I cannot find how to match against this normalized data. 007-04-27 Steven Sturges <ssturges () sourcefire com> Update to normalize the body of a client request to allow rules to check specifically for parameters of a POST or GET request. Also add stats that are part of the hourly stats that track various HTTP encodings and normalizations that have occurred. Perhaps the preprocessor is misconfigured ... preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: \ server default profile apache \ client_flow_depth 1460 \ ports { 80 } \ normalize_headers \ normalize_cookies \ post_depth 65495 Regards, Xavier Garcia 2010/3/25 Xavi Garcia <xavi.garcia () gmail com>
Hi, Thank you for your fast answer. As far I understand, http_uri works like uricontent. It is useful to fix the the resource being requested but then we have to match against the data. I have only been able to do so when I use "content" without modifiers. Regards, Xavier Garcia 2010/3/25 Crook, Parker <Parker_Crook () reyrey com> Xavi,You can definitely use the (content:”POST”; http_method;) to alert only on POST data; however for the data normalization, I’m having a brain-fart right now… maybe somebody else knows, perhaps content:”<match_string>”; http_uri; pcre:”<more specific criteria>”; -Parker ------------------------------ *From:* Xavi Garcia [mailto:xavi.garcia () gmail com] *Sent:* Thursday, March 25, 2010 2:27 PM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] HTTP preprocessor and POST data Hi, I am learning how HTTP Inspect works and also trying to write some rules that use normalized data. I think that all is explained in the documentation and you have done a great job, but I have a doubt regarding the POST data. I am sure that my question is too obvious, but I have tried to find the right answer by myself without luck. :) I see that the newer versions of Snort permit to normalize data from the URI, headers, cookies and the body, but there is nothing about the POST data. I have tried to use the different modifiers for "content" without luck. I understand that POST data cannot be normalized, but there is no mention in the documentation. Am I wrong? In that case, which is the best practice when I want to detect an attack that is using POST instead of GET? Thank you very much for your help :) Regards, Xavier Garcia
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 25)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 26)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 26)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Matt Watchinski (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 30)
- Re: HTTP preprocessor and POST data Matt Watchinski (Mar 30)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 31)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 25)