Snort mailing list archives
unsubscribe
From: "Furio Penteriani" <fpenteriani () globeflex com>
Date: Fri, 9 Apr 2010 06:44:43 -0700
-----Original Message----- From: snort-sigs-request () lists sourceforge net [mailto:snort-sigs-request () lists sourceforge net] Sent: Thursday, April 08, 2010 8:17 PM To: snort-sigs () lists sourceforge net Subject: Snort-sigs Digest, Vol 47, Issue 11 Send Snort-sigs mailing list submissions to snort-sigs () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists sourceforge net You can reach the person managing the list at snort-sigs-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Re: Looking for HTTP POST's over 1mb in size (Alex Kirk) 2. Re: Looking for HTTP POST's over 1mb in size (evilghost () packetmail net) ---------------------------------------------------------------------- Message: 1 Date: Thu, 8 Apr 2010 23:12:38 -0400 From: Alex Kirk <akirk () sourcefire com> Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size To: "evilghost () packetmail net" <evilghost () packetmail net> Cc: ??? <kimms () infosec co kr>, "SNORT-SIGS () lists sourceforge net" <SNORT-SIGS () lists sourceforge net>, "David.R.Wharton () regions com" <David.R.Wharton () regions com>, Matt Olney <molney () sourcefire com> Message-ID: <s2y8e0a702c1004082012z8117941fs7d0eac5a606b7a49 () mail gmail com> Content-Type: text/plain; charset="euc-kr" True, but some of us are a bit gun-shy around colons in Snort rules - it only takes screwing up a release once before you make a habit of escaping colons wherever they may be found. :-P 2010/4/8 evilghost () packetmail net <evilghost () packetmail net>
Colon doesn't need to be escaped in a PCRE, even in a Snort PCRE. It does in a content match. :) -evilghost Matt Olney wrote:Actually (don't ask me why)...they both work: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with
colon"; pcre:"/User-Agent:/H"; classtype: attempted-admin; sid: 33333;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon escaped"; pcre:"/User-Agent\:/H"; classtype: attempted-admin; sid: 33334;) Alerts: 1:33333:0 PCRE with colon Alerts: 2 1:33334:0 PCRE with colon escaped Alerts: 2 [HTTP_HEADER BUFFER DATA (0x8ac90a0)]: 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65 User-Agent: CBNe 74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20 tDataSet..Host: 73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69 segment.pw08.ici 62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f ba.com..Cache-Co 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32 ntrol: max-age=2 35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20 59200..Via: 1.0 50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f PROXY..Connectio 6e 3a 20 63 6c 6f 73 65 0d 0a 0d n: close... Matt (Who has been stupid busy, but is still listening) 2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com <mailto:l0rdch0de1m0rt () gmail com>> I disagree. Unless snort is not PCRE compatible (which it seems
they
should be based on the acronym), you don't have to escape the coloninthis context for a pcre check. Cheers, -L0rd Ch0de1m0rt On Thu, Apr 8, 2010 at 7:46 PM, ??? <kimms () infosec co kr <mailto:kimms () infosec co kr>> wrote: > Missed escape : \ > > You have to write this > > pcre:"/^Content-Length\:\s*[0-9]{7,}$/i"; > or > pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i"; > > -----Original Message----- > From: evilghost () packetmail net
<mailto:evilghost () packetmail net>
[mailto:evilghost () packetmail net
<mailto:evilghost () packetmail net>]
> Sent: Friday, April 09, 2010 2:01 AM > To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN > Cc: SNORT-SIGS () LISTS SOURCEFORGE NET <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET> > Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in
size
> > Glad to help Josh, also drop the '/s', I meant to write the PCREas:> > pcre:"/^Content-Length:\s*[0-9]{7,}$/i"; > > > -evilghost > > JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote: >> evilghost- >> Yeah my PCRE skills are pretty weak. I'll try your change and let you know how it works out (I also change the source from
"any"
to $HOME_NET as well) >> Thanks!! >> Josh >> >> ----- Original Message ----- >> From: Evilghost () Packetmail Net <evilghost () packetmail net <mailto:evilghost () packetmail net>> >> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN) >> Cc: SNORT-SIGS () LISTS SOURCEFORGE NET <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET> >> At: 4/08 12:49:17 >> >> Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR match since >> it'll match on on 101, 102, 103, etc? >> >> What about: >> >> pcre:"/^Content-Length:\s*[0-9]{7,}$/si"; >> >> It'll still match against 1,000,000 bytes which is close
enough
to 1Mb for me. Also, note sure why you need the other PCRE
flags.
>> >> -evilghost >> >> >> >> >> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote: >> >>> So I wrote a signature to detect HTTP POST's over 1mb in
size,
but I think that my pcre logic is flawed. Can someone take a
look
and let me know if this is OK? (It does work, but will trigger
on
file sizes < 1mb based on the Content-Length: header) >>> (We have some stuff in there to ignore posts to certain
sites
due to too many false positives) >>> The rule is: >>> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: live.com <http://live.com>"; nocase; http_header; content:!"Host\: mail.google.com <http://mail.google.com>"; nocase; http_header; content:!"Host\: mail.yahoo.com <http://mail.yahoo.com>";
nocase;
content:!"Host\: webmail.aol.com <http://webmail.aol.com>"; nocase; http_header; content:!"Host\: webmail.juno.com <http://webmail.juno.com>"; nocase; http_header;
content:!"Host\:
webmailb.juno.com <http://webmailb.juno.com>"; nocase; http_header; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; pcre:!"/^Host:\s.*[\.live.com <http://live.com>]$/smi"; msg:"http-post-pcre-jr"; classtype:policy-violation;
sid:1000060;
gid:1; rev:4; ) >>>---------------------------------------------------------------------- -------->>> Download Intel® Parallel Studio Eval >>> Try the new software tools for yourself. Speed compiling,
find
bugs >>> proactively, and fine-tune applications for parallel
performance.
>>> See why Intel Parallel Studio got high marks during beta. >>> http://p.sf.net/sfu/intel-sw-dev >>> _______________________________________________ >>> Snort-sigs mailing list >>> Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs >>> >>> >> > > >---------------------------------------------------------------------- --------> Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find
bugs
> proactively, and fine-tune applications for parallel
performance.
> See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Snort-sigs mailing list > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > https://lists.sourceforge.net/lists/listinfo/snort-sigs > >---------------------------------------------------------------------- --------> Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find
bugs
> proactively, and fine-tune applications for parallel
performance.
> See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Snort-sigs mailing list > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > https://lists.sourceforge.net/lists/listinfo/snort-sigs >---------------------------------------------------------------------- --------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find
bugs
proactively, and fine-tune applications for parallel
performance.
See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs -------------------------------------------------------------------- -------------------------------------------------------------------------- --------Download Intel® Parallel Studio Eval Try the new software tools
for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev -------------------------------------------------------------------- ---- _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs---------------------------------------------------------------------- -------- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Thu, 8 Apr 2010 22:16:37 -0500 From: "evilghost () packetmail net" <evilghost () packetmail net> Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size To: Matt Olney <molney () sourcefire com> Cc: ??? <kimms () infosec co kr>, "SNORT-SIGS () lists sourceforge net" <SNORT-SIGS () lists sourceforge net>, "David.R.Wharton () regions com" <David.R.Wharton () regions com> Message-ID: <4BBE9C15.2030200 () packetmail net> Content-Type: text/plain; charset="EUC-KR" Well, according to the manual at least, we (someone) pointed it out as a bug in the manual. I can't remember the thread. -evilghost Matt Olney wrote:
Nope: Alerts: 1:33335:0 Content with colon Alerts: 2 1:33336:0 Content with |3A| Alerts: 2 2010/4/8 evilghost () packetmail net <mailto:evilghost () packetmail net> <evilghost () packetmail net <mailto:evilghost () packetmail net>> Colon doesn't need to be escaped in a PCRE, even in a Snort PCRE.
It
does in a content match. :) -evilghost Matt Olney wrote: > Actually (don't ask me why)...they both work: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE
with
> colon"; pcre:"/User-Agent:/H"; classtype: attempted-admin; sid: 33333;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE
with
> colon escaped"; pcre:"/User-Agent\:/H"; classtype:
attempted-admin;
> sid: 33334;) > > Alerts: > 1:33333:0 PCRE with colon Alerts: 2 > 1:33334:0 PCRE with colon escaped Alerts: 2 > > [HTTP_HEADER BUFFER DATA (0x8ac90a0)]: > 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65 User-Agent: CBNe > 74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20 tDataSet..Host: > 73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69 segment.pw08.ici > 62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f ba.com..Cache-Co > 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32 ntrol: max-age=2 > 35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20 59200..Via: 1.0 > 50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f PROXY..Connectio > 6e 3a 20 63 6c 6f 73 65 0d 0a 0d n: close... > > Matt > (Who has been stupid busy, but is still listening) > > 2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com <mailto:l0rdch0de1m0rt () gmail com> > <mailto:l0rdch0de1m0rt () gmail com
<mailto:l0rdch0de1m0rt () gmail com>>>
> > I disagree. Unless snort is not PCRE compatible (which it seems
they
> should be based on the acronym), you don't have to escape the colon in > this context for a pcre check. > > Cheers, > > -L0rd Ch0de1m0rt > > On Thu, Apr 8, 2010 at 7:46 PM, ??? <kimms () infosec co kr <mailto:kimms () infosec co kr> > <mailto:kimms () infosec co kr <mailto:kimms () infosec co kr>>>
wrote:
> > Missed escape : \ > > > > You have to write this > > > > pcre:"/^Content-Length\:\s*[0-9]{7,}$/i"; > > or > > pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i"; > > > > -----Original Message----- > > From: evilghost () packetmail net <mailto:evilghost () packetmail net> <mailto:evilghost () packetmail net <mailto:evilghost () packetmail net>> > [mailto:evilghost () packetmail net <mailto:evilghost () packetmail net> <mailto:evilghost () packetmail net <mailto:evilghost () packetmail net>>] > > Sent: Friday, April 09, 2010 2:01 AM > > To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN > > Cc: SNORT-SIGS () LISTS SOURCEFORGE NET <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET> > <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET>> > > Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in
size
> > > > Glad to help Josh, also drop the '/s', I meant to write the PCRE as: > > > > pcre:"/^Content-Length:\s*[0-9]{7,}$/i"; > > > > > > -evilghost > > > > JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote: > >> evilghost- > >> Yeah my PCRE skills are pretty weak. I'll try your change and > let you know how it works out (I also change the source from
"any"
> to $HOME_NET as well) > >> Thanks!! > >> Josh > >> > >> ----- Original Message ----- > >> From: Evilghost () Packetmail Net <evilghost () packetmail net <mailto:evilghost () packetmail net> > <mailto:evilghost () packetmail net
<mailto:evilghost () packetmail net>>>
> >> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN) > >> Cc: SNORT-SIGS () LISTS SOURCEFORGE NET <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET> > <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET>> > >> At: 4/08 12:49:17 > >> > >> Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR > match since > >> it'll match on on 101, 102, 103, etc? > >> > >> What about: > >> > >> pcre:"/^Content-Length:\s*[0-9]{7,}$/si"; > >> > >> It'll still match against 1,000,000 bytes which is close
enough
> to 1Mb for me. Also, note sure why you need the other PCRE
flags.
> >> > >> -evilghost > >> > >> > >> > >> > >> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote: > >> > >>> So I wrote a signature to detect HTTP POST's over 1mb in
size,
> but I think that my pcre logic is flawed. Can someone take a
look
> and let me know if this is OK? (It does work, but will trigger
on
> file sizes < 1mb based on the Content-Length: header) > >>> (We have some stuff in there to ignore posts to certain
sites
> due to too many false positives) > >>> The rule is: > >>> alert tcp any !20 -> $EXTERNAL_NET !25 > (flow:established,to_server; priority:1; content:"POST"; nocase; > http_method; content:!"Shockwave"; nocase; http_header; > content:!"x-flash-version"; nocase; content:!"Host\: live.com <http://live.com> > <http://live.com>"; nocase; http_header; content:!"Host\: > mail.google.com <http://mail.google.com> <http://mail.google.com>"; nocase; http_header; > content:!"Host\: mail.yahoo.com <http://mail.yahoo.com> <http://mail.yahoo.com>"; nocase; > content:!"Host\: webmail.aol.com <http://webmail.aol.com> <http://webmail.aol.com>"; > nocase; http_header; content:!"Host\: webmail.juno.com <http://webmail.juno.com> > <http://webmail.juno.com>"; nocase; http_header;
content:!"Host\:
> webmailb.juno.com <http://webmailb.juno.com> <http://webmailb.juno.com>"; nocase; > http_header; content:"multipart/"; nocase; > content:"Content-Length\:"; nocase; http_header; > pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; > pcre:!"/^Host:\s.*[\.live.com <http://live.com> <http://live.com>]$/smi"; > msg:"http-post-pcre-jr"; classtype:policy-violation;
sid:1000060;
> gid:1; rev:4; ) > >>> >
------------------------------------------------------------------------ ------
> >>> Download Intel® Parallel Studio Eval > >>> Try the new software tools for yourself. Speed compiling,
find
> bugs > >>> proactively, and fine-tune applications for parallel performance. > >>> See why Intel Parallel Studio got high marks during beta. > >>> http://p.sf.net/sfu/intel-sw-dev > >>> _______________________________________________ > >>> Snort-sigs mailing list > >>> Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > <mailto:Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net>> > >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs > >>> > >>> > >> > > > > > >
------------------------------------------------------------------------ ------
> > Download Intel® Parallel Studio Eval > > Try the new software tools for yourself. Speed compiling, find bugs > > proactively, and fine-tune applications for parallel
performance.
> > See why Intel Parallel Studio got high marks during beta. > > http://p.sf.net/sfu/intel-sw-dev > > _______________________________________________ > > Snort-sigs mailing list > > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > <mailto:Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net>> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs > > > > >
------------------------------------------------------------------------ ------
> > Download Intel® Parallel Studio Eval > > Try the new software tools for yourself. Speed compiling, find bugs > > proactively, and fine-tune applications for parallel
performance.
> > See why Intel Parallel Studio got high marks during beta. > > http://p.sf.net/sfu/intel-sw-dev > > _______________________________________________ > > Snort-sigs mailing list > > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > <mailto:Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net>> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs > > > >
------------------------------------------------------------------------ ------
> Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find
bugs
> proactively, and fine-tune applications for parallel
performance.
> See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Snort-sigs mailing list > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > <mailto:Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs > > >
------------------------------------------------------------------------
> >
------------------------------------------------------------------------ ------
> Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find
bugs
> proactively, and fine-tune applications for parallel
performance.
> See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev >
------------------------------------------------------------------------
> > _______________________________________________ > Snort-sigs mailing list > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > https://lists.sourceforge.net/lists/listinfo/snort-sigs >
------------------------------ ------------------------------------------------------------------------ ------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs End of Snort-sigs Digest, Vol 47, Issue 11 ****************************************** This message and any files or text attached to it are intended only for the recipients named above, and contain information that may be confidential or privileged. If you are not an intended recipient, you must not read, copy, use or disclose this communication. Please also notify the sender by replying to this message, and then delete all copies of it from your system. Thank you. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- unsubscribe Furio Penteriani (Apr 09)
- Re: unsubscribe evilghost () packetmail net (Apr 09)
- Re: unsubscribe Matt Olney (Apr 09)
- Re: unsubscribe Shirk Dog (Apr 09)
- Re: unsubscribe Jamie (Apr 10)
- Re: unsubscribe Matt Olney (Apr 09)
- Re: unsubscribe evilghost () packetmail net (Apr 09)