Snort mailing list archives

Bug with file_data pointer being set in 2.9.0?

From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 21 Oct 2010 21:59:05 -0500

Where is file_data supposed to be set?  Directly after the headers and
starting with the response_body correct?  In 2.8.6 the following rule
works as I believe it should. I can do matches relative to the start
of the response body.. Seems like a lot of ifdef'd code around zlib..
so perhaps this is all because I didn't enable zlib support or
something?  Anyhow...

alert tcp any any -> any any (msg:"file_data within/distance test";
flow:to_client,established; file_data; content:"<!DOCTYPE html";
within:20; sid:120001;)

downloads/snort-2.8.6.1$ grep -n "printf" * -r | grep body
src/preprocessors/HttpInspect/server/hi_server.c:1024:
printf("server response body %s\n",Server->response.body);

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
Not Using PCAP_FRAMES
server response body <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en-gb"
lang="en-gb" dir="ltr" >
<head>
  <base href="http://www.openinfosecfoundation.org/index.php/component/search/1234567891011";
/>
  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
  <meta name="robots" content="index, follow" />
  <meta name="keywords" content="" />
  <meta name="description" content="Open Information Security Foundation" />
  <meta name="generator" content="Joomla! 1.5 - Open Source Content
Management" />
  <title>The Open Information Security Foundation - Search</title>
  <link href="/templates/maximumedia-oisf_2.5/favicon.ico"
rel="shortcut icon" type="image/x-icon" />
  <link rel="stylesheet"
href="/templates/maximumedia-oisf_2.5/css/template.css"
type="text/css" />
  <link rel="stylesheet"
href="/templates/maximumedia-oisf_2.5/css/variations/comboblue.css"
type

03/07-22:19:54.786893  [**] [1:120001:0] file_data within/distance
test [**] [Priority: 0] {TCP} 96.43.130.5:80 -> 192.168.100.17:38111

However in 2.9.0 with the same config only changing..
dynamicpreprocessor directory and dynamicengine I get the following
and no alert.  However I do get alert for this rule which matches on
HTTP in the first 4 bytes of the response+headers.

alert tcp any any -> any any (msg:"file_data within/distance test";
flow:to_client,established; file_data; content:"HTTP"; within:4;
sid:120002;)

snort-2.9.0$ grep -n "printf" * -r | grep body
src/preprocessors/HttpInspect/server/hi_server.c:1202:
printf("server response body %s\n",Server->response.body);


        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0 (Build 68)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
Commencing packet processing (pid=15082)
server response body HTTP/1.1 200 OK
Date: Mon, 08 Mar 2010 03:17:15 GMT
Server:
X-Powered-By: PHP/5.2.12
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 08 Mar 2010 03:17:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 13466
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en-gb"
lang="en-gb" dir="ltr" >
<head>
  <base href="http://www.openinfosecfoundation.org/index.php/component/search/1234567891011";
/>
  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
  <meta name="robots" content="index, follow" />
  <meta name="keywords" content="" />
  <meta name="description" content="Open Information Security Foundation" />
  <meta name="generator" content="Joomla! 1.5 - Open Source Content
Management" />
  <title>The Open Information Security Foundation - Search</title>
  <link href="/templates/maximumedia-oisf_2.5/favicon.ico"
rel="shortcut icon" type="image/x-icon" />
  <link rel="stylesheet"
href="/templates/maximumedia-oisf_2.5/css/template.css"
type="text/css" />
  <link rel="stylesheet"
href="/templates/maximumedia-oisf_2.5/css/variations/comboblue.css"
type
03/07-22:19:54.361333  [**] [1:120002:0] file_data within/distance
test [**] [Priority: 0] {TCP} 96.43.130.5:80 -> 192.168.100.17:38111

Attachment: oisfsearchnums.pcap
Description:

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 21)
- Re: Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 22)
  - Re: Bug with file_data pointer being set in 2.9.0? Bhagya Bantwal (Oct 27)
    - Re: Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 27)