Snort mailing list archives

Re: http_header issues, Snort 2.8.5.3

From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Thu, 1 Apr 2010 10:24:35 -0500

From http://owl.english.purdue.edu/owl/resource/591/01/


"A" goes before all words that begin with consonants. ... With one
exception: Use "an" before unsounded h."

The "H" in "HTTP" is clearly sounded since we are saying the letter itself.

Hope this helps.

-L0rd Ch0de1m0rt

On 4/1/10, Jason Brvenik <jasonb () sourcefire com> wrote:

It does seem odd that the cookie is not in the headers but I'm sure
there is a reason that the choice was made.

Dunno on the "a" VS "an" thing. By my read, the "H" is pronounced and
therefore the use of "an" is appropriate.

On Thu, Apr 1, 2010 at 10:58 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com> wrote:

Mike,

Since you seem to be good at pointing out errors in the snort manual,
you may also want to note that the use of "an HTTP" is rampant
throughout it.  Might I suggest a little Find & Replace to the manual
maintainer(s)?   :)

Cheers,

-L0rd Ch0de1m0rt

On 4/1/10, Mike Cox <mike.cox52 () gmail com> wrote:

Agreed, I'm shocked that the http_header buffer doesn't include the
Cookie header.  It doesn't make sense.  According to the manual, "The
http header keyword is a content modifier that restricts the search to
the extracted Header fields of an HTTP client
request." (as an aside, note the incorrect use of 'an' instead of 'a')
 Why is the Cookie header a second class citizen in the HTTP headers
world?  I understand having a separate http_cookie buffer but it
doesn't mean Cookies are not headers anymore....

-Mike Cox

On 4/1/10, evilghost () packetmail net <evilghost () packetmail net> wrote:

Thanks Will for the speedy response, I apologize for not have read your
response to the list earlier.  I agree with you regarding this and it's
counter-intuitive to have the Cookie removed from the http_header
buffer.

-evilghost

Will Metcalf wrote:

That because the cookie isn't included in the normalized header
buffer, you can only get to via http_cookie modifer.  I know it
doesn't make any sense to me either.  I sent the following e-mail to
snort-devel on 3/17.

"This is just my 2 cents, but I don't think the following behavior
makes sense.  I think that even though you are providing http_cookie
as a separate buffer to match on it should still be included in the
http_header buffer, well because it is part of the headers.

You can still match using the raw buffer but then you have to add
additional checks to try and differentiate between the headers and the
body which is why I'm guessing these modifiers were created in the
first place.  I realize that in most cases header order doesn't matter
but there may be instances where you can fingerprint a piece of
automated code (read malware) using a rule similar to sid 69 below.

Regards,

Will"

#this matches but I loose the performance/accuracy benefit of only
matching within the buffer containing http_headers.
alert tcp any any -> any any (msg:"http_cookie + ";
content:"Cookie|3A|
e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
0a|Content-Type|3A| application"; classtype:bad-unknown; sid:68;
rev:1;)

#this fails to match as the cookie is not part of the http_header
buffer but is part of the real http headers.
alert tcp any any -> any any (msg:"http_cookie + ";
content:"Cookie|3A|
e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
0a|Content-Type|3A| application"; http_header; classtype:bad-unknown;
sid:69; rev:1;)



On Thu, Apr 1, 2010 at 9:22 AM, evilghost () packetmail net
<evilghost () packetmail net> wrote:

Hello, I am running Snort 2.8.5.3 and it appears that either
http_header; is not working correctly, does not work with a relative
keyword, or I do not understand http_header; correctly.  I am
attempting
to constrain a content match to the http_header for performance
reasons.

Note, no need to recommend isdataat, I know there is data within 1024
bytes past the previous content match.

Does NOT work:
   uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
nocase; http_header; content:"ieatbugs="; within:1024;

Does work:
   uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
nocase; content:"ieatbugs="; within:1024;

Comments/insight appreciated.

-evilghost

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

http_header issues, Snort 2.8.5.3 evilghost () packetmail net (Apr 01)
- Re: http_header issues, Snort 2.8.5.3 Will Metcalf (Apr 01)
  - Re: http_header issues, Snort 2.8.5.3 evilghost () packetmail net (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Mike Cox (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 L0rd Ch0de1m0rt (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Jason Brvenik (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 L0rd Ch0de1m0rt (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 evilghost () packetmail net (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Jason Brvenik (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Russ Combs (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Paul Schmehl (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Paul Schmehl (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Jason Brvenik (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Steven Sturges (Apr 01)
    - Re: http_header issues, Snort 2.8.5.3 Will Metcalf (Apr 01)
- <Possible follow-ups>
- Re: http_header issues, Snort 2.8.5.3 Jeff Kell (Apr 01)