Snort mailing list archives
Re: Looking for HTTP POST's over 1mb in size
From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Thu, 8 Apr 2010 12:01:19 -0500
Glad to help Josh, also drop the '/s', I meant to write the PCRE as:
pcre:"/^Content-Length:\s*[0-9]{7,}$/i";
-evilghost
JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
evilghost- Yeah my PCRE skills are pretty weak. I'll try your change and let you know how it works out (I also change the source from "any" to $HOME_NET as well) Thanks!! Josh ----- Original Message ----- From: Evilghost () Packetmail Net <evilghost () packetmail net> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN) Cc: SNORT-SIGS () LISTS SOURCEFORGE NET At: 4/08 12:49:17 Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR match since it'll match on on 101, 102, 103, etc? What about: pcre:"/^Content-Length:\s*[0-9]{7,}$/si"; It'll still match against 1,000,000 bytes which is close enough to 1Mb for me. Also, note sure why you need the other PCRE flags. -evilghost JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:So I wrote a signature to detect HTTP POST's over 1mb in size, but I think that my pcre logic is flawed. Can someone take a look and let me know if this is OK? (It does work, but will trigger on file sizes < 1mb based on the Content-Length: header) (We have some stuff in there to ignore posts to certain sites due to too many false positives) The rule is: alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase; http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\: webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com"; nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase; http_header; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:4; ) ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size 김무성 (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Alex Kirk (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size 김무성 (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 09)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)