Re: HTTP preprocessor and POST data

[Xavi Garcia <xavi.garcia () gmail com>]

Parker,

I have tried with  http_uri and uricontent but there is not alert.


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local
file inclusion POST"; flow:to_server,established;content:"POST"; nocase;
http_method; uricontent:"/index.php"; nocase; uricontent:"include"; nocase;
classtype:web-application-attack;  sid:20000001; rev:1;)

This are the statistics after executing snort:

HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                   2
    GET methods:                    0
    Headers extracted:              2
    Header Cookies extracted:       0
    Post parameters extracted:      2
    Unicode:                        0
    Double unicode:                 0
    Non-ASCII representable:        0
    Base 36:                        0
    Directory traversals:           26
    Extra slashes ("//"):           0
    Self-referencing paths ("./"):  26
    Total packets processed:        10

Is see " Post parameters extracted:      2".   Perhaps it is related.


Regards,

Xavier Garcia


2010/3/26 Crook, Parker <Parker_Crook () reyrey com>

>  Xavi,
>
>
>
> You might want to change the content:”include=..”; to either
>
> content:”include=..”; http_uri;
>
> OR
>
> uricontent:”include=..”;
>
>
>
> As it is currently, you’re not normalizing that string.
>
>
>
> -Parker
>  ------------------------------
>
> *From:* Xavi Garcia [mailto:xavi.garcia () gmail com]
> *Sent:* Friday, March 26, 2010 1:27 PM
>
> *To:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] HTTP preprocessor and POST data
>
>
>
> Hi,
>
> I am using the following rule to test a local file inclusion.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local
> file inclusion POST"; flow:to_server,established;content:"POST"; nocase;
> http_method; uricontent:"/index.php"; nocase; content:"include=.."; nocase;
> classtype:web-application-attack;  sid:20000000; rev:1;)
>
> that catches the following attack:
>
> curl  -d
> "include=../../../../../../../../../../../../../../../../../../../../../etc/passwd%00"
> "http://192.168.178.29/index.php";
>
> But fails when I encode the data in Hex.
>
> curl  -d
> "include=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd%00"
> "http://192.168.178.29/index.php";
>
> I have checked the Changelog and the POST data should be
> normalized, but I cannot find how to match against this normalized data.
>
> 007-04-27 Steven Sturges <ssturges () sourcefire com>
>
> Update to normalize the body of a client request to
> allow
>
> rules to check specifically for parameters of a POST or GET request.
> Also add stats that are part of the hourly stats that
> track
>
> various HTTP encodings and normalizations that have occurred.
>
>
> Perhaps the preprocessor is misconfigured ...
>
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: \
>     server default profile apache \
>     client_flow_depth 1460 \
>     ports { 80  }  \
>     normalize_headers \
>     normalize_cookies \
>     post_depth 65495
>
>
> Regards,
>
> Xavier Garcia
>
> 2010/3/25 Xavi Garcia <xavi.garcia () gmail com>
>
> Hi,
>
> Thank you for your fast answer.
>
> As far I understand, http_uri  works like uricontent.
> It is useful to fix the the resource being requested
> but then we have to match against the data. I have
> only been able to do so when I use "content"
> without modifiers.
>
> Regards,
>
> Xavier Garcia
>
> 2010/3/25 Crook, Parker <Parker_Crook () reyrey com>
>
>
>
> Xavi,
>
>
>
> You can definitely use the (content:”POST”; http_method;) to alert only on
> POST data; however for the data normalization, I’m having a brain-fart right
> now… maybe somebody else knows, perhaps content:”<match_string>”; http_uri;
> pcre:”<more specific criteria>”;
>
>
>
> -Parker
>
>
>  ------------------------------
>
> *From:* Xavi Garcia [mailto:xavi.garcia () gmail com]
> *Sent:* Thursday, March 25, 2010 2:27 PM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] HTTP preprocessor and POST data
>
>
>
> Hi,
>
> I am learning how HTTP Inspect works and also trying
> to write some rules that use normalized data. I think that
> all is explained in the documentation and you have done
> a great job, but I have a doubt regarding the POST data.
>
> I am sure that my question is too obvious, but I have tried
> to find the right answer by myself without luck. :)
>
> I see that the newer versions of Snort permit to normalize
> data from the URI, headers, cookies and the body, but there
> is nothing about the POST data. I have tried to use the
> different modifiers for  "content" without luck.
>
> I understand that POST data cannot be normalized, but
> there is no mention in the documentation. Am I wrong?
> In that case, which is the best practice when I want to
> detect an attack that is using POST instead of GET?
>
> Thank you very much for your help :)
>
> Regards,
>
> Xavier Garcia
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users