Snort mailing list archives
Re: http_header issues, Snort 2.8.5.3
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 1 Apr 2010 12:33:43 -0400
This being April Fools' Day (good grief, I hope the apostrophe correct?) I'll chime in, even though I'm not the grammar king. "An HTTP" works for me if you read "an H ...". If you read "an hyper ..." it doesn't work. Same for "an FTP" but not for "a TCP". Correct or not, that is the sprit of the law. On Thu, Apr 1, 2010 at 11:46 AM, Jason Brvenik <jasonb () sourcefire com>wrote:
Being pedantic would be citing the proper use from a literary guide, not an RFC or two. It is an ArrEffSee after all. Before English was Americanized, the h was almost always silent and thus the rule of using an before an H was steadfast. L0rd is correct on modern usage and it tweaks me as much as the loss of an and or or following a comma in a series. The usage is neither here nor there I suppose. I would like to see the grammar king (king is really a substitution) chime in. On Thu, Apr 1, 2010 at 10:53 AM, evilghost () packetmail net <evilghost () packetmail net> wrote:I hate to be pedantic, looks like RFC 2616, RFC 2396, etc use "a HTTP" such as "... MUST NOT establish a HTTP ...", "... engine on a HTTP ..",etc.Who knows. I would like some insight into why the cookies were excluded from http_header aside from the obvious redundancy regarding the precision in http_cookie; -evilghost Jason Brvenik wrote:It does seem odd that the cookie is not in the headers but I'm sure there is a reason that the choice was made. Dunno on the "a" VS "an" thing. By my read, the "H" is pronounced and therefore the use of "an" is appropriate. On Thu, Apr 1, 2010 at 10:58 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Mike, Since you seem to be good at pointing out errors in the snort manual, you may also want to note that the use of "an HTTP" is rampant throughout it. Might I suggest a little Find & Replace to the manual maintainer(s)? :) Cheers, -L0rd Ch0de1m0rt On 4/1/10, Mike Cox <mike.cox52 () gmail com> wrote:Agreed, I'm shocked that the http_header buffer doesn't include the Cookie header. It doesn't make sense. According to the manual, "The http header keyword is a content modifier that restricts the search to the extracted Header fields of an HTTP client request." (as an aside, note the incorrect use of 'an' instead of 'a') Why is the Cookie header a second class citizen in the HTTP headers world? I understand having a separate http_cookie buffer but it doesn't mean Cookies are not headers anymore.... -Mike Cox On 4/1/10, evilghost () packetmail net <evilghost () packetmail net> wrote:Thanks Will for the speedy response, I apologize for not have readyourresponse to the list earlier. I agree with you regarding this andit'scounter-intuitive to have the Cookie removed from the http_headerbuffer.-evilghost Will Metcalf wrote:That because the cookie isn't included in the normalized header buffer, you can only get to via http_cookie modifer. I know it doesn't make any sense to me either. I sent the following e-mail to snort-devel on 3/17. "This is just my 2 cents, but I don't think the following behavior makes sense. I think that even though you are providing http_cookie as a separate buffer to match on it should still be included in the http_header buffer, well because it is part of the headers. You can still match using the raw buffer but then you have to add additional checks to try and differentiate between the headers andthebody which is why I'm guessing these modifiers were created in the first place. I realize that in most cases header order doesn'tmatterbut there may be instances where you can fingerprint a piece of automated code (read malware) using a rule similar to sid 69 below. Regards, Will" #this matches but I loose the performance/accuracy benefit of only matching within the buffer containing http_headers. alert tcp any any -> any any (msg:"http_cookie + "; content:"Cookie|3A| e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d 0a|Content-Type|3A| application"; classtype:bad-unknown; sid:68; rev:1;) #this fails to match as the cookie is not part of the http_header buffer but is part of the real http headers. alert tcp any any -> any any (msg:"http_cookie + "; content:"Cookie|3A| e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d 0a|Content-Type|3A| application"; http_header;classtype:bad-unknown;sid:69; rev:1;) On Thu, Apr 1, 2010 at 9:22 AM, evilghost () packetmail net <evilghost () packetmail net> wrote:Hello, I am running Snort 2.8.5.3 and it appears that either http_header; is not working correctly, does not work with arelativekeyword, or I do not understand http_header; correctly. I amattemptingto constrain a content match to the http_header for performancereasons.Note, no need to recommend isdataat, I know there is data within1024bytes past the previous content match. Does NOT work: uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\:";nocase; http_header; content:"ieatbugs="; within:1024; Does work: uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\:";nocase; content:"ieatbugs="; within:1024; Comments/insight appreciated. -evilghost------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- http_header issues, Snort 2.8.5.3 evilghost () packetmail net (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Will Metcalf (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 evilghost () packetmail net (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Mike Cox (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 L0rd Ch0de1m0rt (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Jason Brvenik (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 L0rd Ch0de1m0rt (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 evilghost () packetmail net (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Jason Brvenik (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Russ Combs (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Paul Schmehl (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 evilghost () packetmail net (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Will Metcalf (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Paul Schmehl (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Jason Brvenik (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Steven Sturges (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Will Metcalf (Apr 01)
- <Possible follow-ups>
- Re: http_header issues, Snort 2.8.5.3 Jeff Kell (Apr 01)