Snort mailing list archives
Re: Using within after http_headers
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 30 Apr 2010 15:48:16 -0400
Roger. I'll defer to Olney/$vrt, they've tested and used those modifiers for a lot longer than I. On Fri, Apr 30, 2010 at 3:44 PM, Will Metcalf <william.metcalf () gmail com>wrote:
On Fri, Apr 30, 2010 at 2:31 PM, Joel Esler <jesler () sourcefire com>wrote:http_client_body and http_uri aren't normalizers though, they are just pointers to locations, the way that I read it.http_uri is normalized... Not sure about http_client_body..As far as the distance:0; that's simply saying that the subsequentcontentmust be after the uricontent. not any distance "away" from the end ofit,just after the previous match succeeded.I understand but this can lead to false negatives. If the uricontent has to be decoded, using the uricontent,content,distance:0 combo causes the rule not to fire completely.... Regards, WillJ On Fri, Apr 30, 2010 at 3:21 PM, Will Metcalf <william.metcalf () gmail com wrote:Correct. Since this is a normalized field (similar to uricontent),youcan't have a relative statement to a normalized http field like that. This is as designed.This is not entirely accurate ;-)... For example some of the spyware-put rules mix uricontent,content and distance:0 Also from my tests you can mix http_client_body and http_uri with distance and within, but it fails always for cookie and header. Also with http_uri just like uricontent if you encode the url distance and within doesn't work. Regards, Will On Fri, Apr 30, 2010 at 11:47 AM, Joel Esler <jesler () sourcefire com> wrote:On Fri, Apr 30, 2010 at 12:35 PM, Mike Cox <mike.cox52 () gmail com>wrote:I'm testing some rules and it seems that using the within content modifier on a content match that is relative to a previous content match and uses the http_headers content modifier does not work. For example, this is the original rule that is not alerting: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; http_header; content:!"google.com"; nocase; within:50; classtype:bad-unknown; rev:1; sid:7500010;) But if I remove the within OR the http_header content modifiers, the rule alerts. So both these alert: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; content:!"google.com"; nocase; within:50; classtype:bad-unknown; rev:1; sid:7500010;) alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; http_header; content:!"google.com"; nocase; classtype:bad-unknown; rev:1; sid:7500010;) Is there some weird stuff going on with the HTTP header buffer such that subsequent within content modifiers don't work? If so, is this as designed? Thanks. -Mike Cox------------------------------------------------------------------------------_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Using within after http_headers Mike Cox (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Alex Kirk (May 03)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)