Snort mailing list archives
http_client_body, distance and ignoring requirement for content match?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Tue, 10 Aug 2010 20:47:16 +0000
Why in the world would the following signature match against the below POST? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO Exploit Kit - request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; http_client_body; classtype:bad-unknown; sid:5600100; rev:2;) POST /earth-expandable-substrate-pack-p-1903.html?action=add_product¤cy=USD&osCsid=uhlf66l9csn4gkpvj9kq016ht2 HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.mopsdirect.us/earth-expandable-substrate-pack-p-1903.html?currency=USD Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: www.mopsdirect.us Content-Length: 26 Connection: Keep-Alive Cache-Control: no-cache Cookie: osCsid=uhlf66l9csn4gkpvj9kq016ht2 products_id=1903&x=45&y=13 This should require "id=" and then "|25 32 36|j" to be 32 bytes or more away within the http_client_body. However it isn't possible for this to happen since there is only 14 bytes of data within the http_client_body after the "id=", it should not be possible to match. I have other signatures that are NOT firing on this packet but are nearly identical: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY SEO Exploit Kit - request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:32; http_client_body; classtype:bad-unknown; sid:5600101; rev:2;) It is very puzzling that one would fire and not the other... Snort can't be ignoring the content match for four vs five bytes for some reason, could it? ("|25 32 36|jp" vs "|25 32 36|j") -- Eoin ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- http_client_body, distance and ignoring requirement for content match? Eoin Miller (Aug 10)
- Re: http_client_body, distance and ignoring requirement for content match? Paul Schmehl (Aug 10)