Snort mailing list archives
Re: HTTP preprocessor and POST data
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Fri, 26 Mar 2010 16:07:43 -0400
Xavi, I have included the snort sigs group on this so they can weigh in, as I have to wrap up the day with project reports... I did a snort capture of the traffic generated by the curl script you have (modified for my box) and the results are below: +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/26-09:04:38.910626 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x189 192.168.1.200:42440 -> 192.168.1.200:80 TCP TTL:64 TOS:0x0 ID:64562 IpLen:20 DgmLen:379 DF ***AP*** Seq: 0x34BFD130 Ack: 0x3538CC8B Win: 0x201 TcpLen: 32 TCP Options (3) => NOP NOP TS: 628501791 628501791 50 4F 53 54 20 2F 69 6E 64 65 78 2E 70 68 70 20 POST /index.php 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 HTTP/1.1..User-A 67 65 6E 74 3A 20 63 75 72 6C 2F 37 2E 31 38 2E gent: curl/7.18. 32 20 28 69 34 38 36 2D 70 63 2D 6C 69 6E 75 78 2 (i486-pc-linux 2D 67 6E 75 29 20 6C 69 62 63 75 72 6C 2F 37 2E -gnu) libcurl/7. 31 38 2E 32 20 4F 70 65 6E 53 53 4C 2F 30 2E 39 18.2 OpenSSL/0.9 2E 38 67 20 7A 6C 69 62 2F 31 2E 32 2E 33 2E 33 8g zlib/1.2.3.3 20 6C 69 62 69 64 6E 2F 31 2E 38 20 6C 69 62 73 libidn/1.8 libs 73 68 32 2F 30 2E 31 38 0D 0A 48 6F 73 74 3A 20 sh2/0.18..Host: 31 39 32 2E 31 36 38 2E 31 2E 32 30 30 0D 0A 41 192.168.1.200..A 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E 74 ccept: */*..Cont 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 38 34 0D 0A ent-Length: 84.. 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 Content-Type: ap 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D plication/x-www- 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D form-urlencoded. 0A 0D 0A 69 6E 63 6C 75 64 65 3D 2E 2E 2F 2E 2E ...include=../.. 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F /../../../../../ 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E ../../../../../. 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E ./../../../../.. 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 65 74 63 2F 70 61 /../../../etc/pa 73 73 77 64 25 30 30 sswd%00 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ -Parker _____ From: Xavi Garcia [mailto:xavi.garcia () gmail com] Sent: Friday, March 26, 2010 2:16 PM To: Crook, Parker Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] HTTP preprocessor and POST data Parker, I have tried with http_uri and uricontent but there is not alert. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local file inclusion POST"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/index.php"; nocase; uricontent:"include"; nocase; classtype:web-application-attack; sid:20000001; rev:1;) This are the statistics after executing snort: HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 2 GET methods: 0 Headers extracted: 2 Header Cookies extracted: 0 Post parameters extracted: 2 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Base 36: 0 Directory traversals: 26 Extra slashes ("//"): 0 Self-referencing paths ("./"): 26 Total packets processed: 10 Is see " Post parameters extracted: 2". Perhaps it is related. Regards, Xavier Garcia 2010/3/26 Crook, Parker <Parker_Crook () reyrey com<mailto:Parker_Crook () reyrey com>> Xavi, You might want to change the content:"include=.."; to either content:"include=.."; http_uri; OR uricontent:"include=.."; As it is currently, you're not normalizing that string. -Parker _____ From: Xavi Garcia [mailto:xavi.garcia () gmail com<mailto:xavi.garcia () gmail com>] Sent: Friday, March 26, 2010 1:27 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] HTTP preprocessor and POST data Hi, I am using the following rule to test a local file inclusion. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local file inclusion POST"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/index.php"; nocase; content:"include=.."; nocase; classtype:web-application-attack; sid:20000000; rev:1;) that catches the following attack: curl -d "include=../../../../../../../../../../../../../../../../../../../../../etc/passwd%00" "http://192.168.178.29/index.php" But fails when I encode the data in Hex. curl -d "include=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd%00" "http://192.168.178.29/index.php" I have checked the Changelog and the POST data should be normalized, but I cannot find how to match against this normalized data. 007-04-27 Steven Sturges <ssturges () sourcefire com<mailto:ssturges () sourcefire com>> Update to normalize the body of a client request to allow rules to check specifically for parameters of a POST or GET request. Also add stats that are part of the hourly stats that track various HTTP encodings and normalizations that have occurred. Perhaps the preprocessor is misconfigured ... preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: \ server default profile apache \ client_flow_depth 1460 \ ports { 80 } \ normalize_headers \ normalize_cookies \ post_depth 65495 Regards, Xavier Garcia 2010/3/25 Xavi Garcia <xavi.garcia () gmail com<mailto:xavi.garcia () gmail com>> Hi, Thank you for your fast answer. As far I understand, http_uri works like uricontent. It is useful to fix the the resource being requested but then we have to match against the data. I have only been able to do so when I use "content" without modifiers. Regards, Xavier Garcia 2010/3/25 Crook, Parker <Parker_Crook () reyrey com<mailto:Parker_Crook () reyrey com>> Xavi, You can definitely use the (content:"POST"; http_method;) to alert only on POST data; however for the data normalization, I'm having a brain-fart right now... maybe somebody else knows, perhaps content:"<match_string>"; http_uri; pcre:"<more specific criteria>"; -Parker _____ From: Xavi Garcia [mailto:xavi.garcia () gmail com<mailto:xavi.garcia () gmail com>] Sent: Thursday, March 25, 2010 2:27 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] HTTP preprocessor and POST data Hi, I am learning how HTTP Inspect works and also trying to write some rules that use normalized data. I think that all is explained in the documentation and you have done a great job, but I have a doubt regarding the POST data. I am sure that my question is too obvious, but I have tried to find the right answer by myself without luck. :) I see that the newer versions of Snort permit to normalize data from the URI, headers, cookies and the body, but there is nothing about the POST data. I have tried to use the different modifiers for "content" without luck. I understand that POST data cannot be normalized, but there is no mention in the documentation. Am I wrong? In that case, which is the best practice when I want to detect an attack that is using POST instead of GET? Thank you very much for your help :) Regards, Xavier Garcia
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 25)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 26)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 26)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Matt Watchinski (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 30)
- Re: HTTP preprocessor and POST data Matt Watchinski (Mar 30)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 31)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 25)