Snort mailing list archives
Bug with file_data pointer being set in 2.9.0?
From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 21 Oct 2010 21:59:05 -0500
Where is file_data supposed to be set? Directly after the headers and starting with the response_body correct? In 2.8.6 the following rule works as I believe it should. I can do matches relative to the start of the response body.. Seems like a lot of ifdef'd code around zlib.. so perhaps this is all because I didn't enable zlib support or something? Anyhow... alert tcp any any -> any any (msg:"file_data within/distance test"; flow:to_client,established; file_data; content:"<!DOCTYPE html"; within:20; sid:120001;) downloads/snort-2.8.6.1$ grep -n "printf" * -r | grep body src/preprocessors/HttpInspect/server/hi_server.c:1024: printf("server response body %s\n",Server->response.body); ,,_ -*> Snort! <*- o" )~ Version 2.8.6.1 (Build 39) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.12 <Build 18> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_DCERPC Version 1.1 <Build 5> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Not Using PCAP_FRAMES server response body <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir="ltr" > <head> <base href="http://www.openinfosecfoundation.org/index.php/component/search/1234567891011" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="robots" content="index, follow" /> <meta name="keywords" content="" /> <meta name="description" content="Open Information Security Foundation" /> <meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /> <title>The Open Information Security Foundation - Search</title> <link href="/templates/maximumedia-oisf_2.5/favicon.ico" rel="shortcut icon" type="image/x-icon" /> <link rel="stylesheet" href="/templates/maximumedia-oisf_2.5/css/template.css" type="text/css" /> <link rel="stylesheet" href="/templates/maximumedia-oisf_2.5/css/variations/comboblue.css" type 03/07-22:19:54.786893 [**] [1:120001:0] file_data within/distance test [**] [Priority: 0] {TCP} 96.43.130.5:80 -> 192.168.100.17:38111 However in 2.9.0 with the same config only changing.. dynamicpreprocessor directory and dynamicengine I get the following and no alert. However I do get alert for this rule which matches on HTTP in the first 4 bytes of the response+headers. alert tcp any any -> any any (msg:"file_data within/distance test"; flow:to_client,established; file_data; content:"HTTP"; within:4; sid:120002;) snort-2.9.0$ grep -n "printf" * -r | grep body src/preprocessors/HttpInspect/server/hi_server.c:1202: printf("server response body %s\n",Server->response.body); --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.0 (Build 68) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.12 <Build 18> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Commencing packet processing (pid=15082) server response body HTTP/1.1 200 OK Date: Mon, 08 Mar 2010 03:17:15 GMT Server: X-Powered-By: PHP/5.2.12 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Mon, 08 Mar 2010 03:17:15 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 13466 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir="ltr" > <head> <base href="http://www.openinfosecfoundation.org/index.php/component/search/1234567891011" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="robots" content="index, follow" /> <meta name="keywords" content="" /> <meta name="description" content="Open Information Security Foundation" /> <meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /> <title>The Open Information Security Foundation - Search</title> <link href="/templates/maximumedia-oisf_2.5/favicon.ico" rel="shortcut icon" type="image/x-icon" /> <link rel="stylesheet" href="/templates/maximumedia-oisf_2.5/css/template.css" type="text/css" /> <link rel="stylesheet" href="/templates/maximumedia-oisf_2.5/css/variations/comboblue.css" type 03/07-22:19:54.361333 [**] [1:120002:0] file_data within/distance test [**] [Priority: 0] {TCP} 96.43.130.5:80 -> 192.168.100.17:38111
Attachment:
oisfsearchnums.pcap
Description:
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 21)
- Re: Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 22)
- Re: Bug with file_data pointer being set in 2.9.0? Bhagya Bantwal (Oct 27)
- Re: Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 27)
- Re: Bug with file_data pointer being set in 2.9.0? Bhagya Bantwal (Oct 27)
- Re: Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 22)