Snort mailing list archives
Re: HTTP Signature not triggering
From: "JOSH RIVEL, BLOOMBERG/ 731 LEXIN" <jrivel () bloomberg net>
Date: 14 Apr 2010 21:30:02 -0400
*DOH* that would do it, thanks Will. I just modified the rule and I'm pushing the policy out now and will test again. Thanks for being my second set of eyes... Josh ----- Original Message ----- From: Will Metcalf <william.metcalf () gmail com> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN) Cc: rmkml () free fr, snort-sigs () lists sourceforge net At: 4/14 21:27:25 \x3a is ":" so you don't need it again... Regards, Will pcre:"/^Content-Length:\x3a\s*[0-9]{7,}\r$/mi" On Wed, Apr 14, 2010 at 8:21 PM, JOSH RIVEL, BLOOMBERG/ 731 LEXIN <jrivel () bloomberg net> wrote:
OK so the signature now looks like this but is still not triggering: alert tcp $HOME_NET !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\x3a\s*[0-9]{7,}\r$/mi"; msg:"HTTP POST over 1mb - pcre only"; classtype:policy-violation; sid:1872316; gid:1; rev:3; ) This is on a Sourcefire 3D3500 sensor with snort 2.8.5. Thanks, Josh ----- Original Message ----- From: Josh Rivel <jrivel () bloomberg net> To: william.metcalf () gmail com Cc: snort-sigs () lists sourceforge net At: 4/14 17:51:56 Will, Running pcretest with that pcre does work, but I will try your suggested PCRE and see if that fixes things. Thanks, Josh ---- Original Message ---- From: Will Metcalf <william.metcalf () gmail com> At: 4/14/2010 17:39 hmmm that pcre doesn't look quite right... Does the sig fire if you remove it? If it does Maybe try something like the following... pcre:"/^Content-Length\x3a\s*[0-9]{7,}\r$/Hmi" Regards, Will On Wed, Apr 14, 2010 at 4:20 PM, JOSH RIVEL, BLOOMBERG/ 731 LEXIN <jrivel () bloomberg net> wrote:Hello, so I have the following signature looking for HTTP posts of size > 1mb to any machines $EXTERNAL_NET, but despite my best efforts I can't get it to trigger. alert tcp $HOME_NET !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*[0-9]{7,}$/i"; msg:"HTTP POST over 1mb - pcre only"; classtype:policy-violation; sid:1872316; gid:1; rev:1; ) I uploaded a 2mb file to a website and the signature did not trigger. Here are the snippets from tcpdump output on the sensor of the file being uploaded. POST /test/upload.php HTTP/1.1 Host: xx User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Referer: http://xx/xx Content-Type: multipart/form-data; boundary=---------------------------1588529377280840353328422082 Content-Length: 2097381 Connection: Keep-Alive -----------------------------1588529377280840353328422082 Content-Disposition: form-data; name="uploaded"; filename="2mb" Content-Type: application/octet-stream That signature does not trigger, however this one does (which has bad PCRE in it to detect file sizes of > 1mb) I also tried using stream_size:client,>=,1048576 in the signature with no luck. (So here's the bad signature but it does trigger) alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content- Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:15; ) Any thoughts? I'm wracking my brains trying to sort this one out... Thanks, Josh ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- HTTP Signature not triggering JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 14)
- Re: HTTP Signature not triggering Will Metcalf (Apr 14)
- <Possible follow-ups>
- Re: HTTP Signature not triggering JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 14)
- Re: HTTP Signature not triggering Will Metcalf (Apr 14)
- Re: HTTP Signature not triggering JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 14)
- Re: HTTP Signature not triggering Will Metcalf (Apr 14)
- Re: HTTP Signature not triggering JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 14)
- Re: HTTP Signature not triggering JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 14)