Snort mailing list archives
Re: Bug with file_data pointer being set in 2.9.0?
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Wed, 27 Oct 2010 14:49:01 -0400
Will, In 2.9.0 we changed HTTP inspect to inspect HTTP response body in stream rebuilt packets only. In the pcap you provided the HTTP response with response code 301 and 200 get combined into one segment due to stream reassembly and hence we do not set the file data pointer correctly. A bug has been filed for this issue. Thanks for reporting the issue. -B On Fri, Oct 22, 2010 at 10:20 AM, Will Metcalf <william.metcalf () gmail com>wrote:
I'm seeing the same thing compiling with gzip support and enabling gzip inspection. Regards, Will On Thu, Oct 21, 2010 at 9:59 PM, Will Metcalf <william.metcalf () gmail com> wrote:Where is file_data supposed to be set? Directly after the headers and starting with the response_body correct? In 2.8.6 the following rule works as I believe it should. I can do matches relative to the start of the response body.. Seems like a lot of ifdef'd code around zlib.. so perhaps this is all because I didn't enable zlib support or something? Anyhow... alert tcp any any -> any any (msg:"file_data within/distance test"; flow:to_client,established; file_data; content:"<!DOCTYPE html"; within:20; sid:120001;) downloads/snort-2.8.6.1$ grep -n "printf" * -r | grep body src/preprocessors/HttpInspect/server/hi_server.c:1024: printf("server response body %s\n",Server->response.body); ,,_ -*> Snort! <*- o" )~ Version 2.8.6.1 (Build 39) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.12 <Build18>Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_DCERPC Version 1.1 <Build 5> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Not Using PCAP_FRAMES server response body <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir="ltr" > <head> <base href="http://www.openinfosecfoundation.org/index.php/component/search/1234567891011 "/> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="robots" content="index, follow" /> <meta name="keywords" content="" /> <meta name="description" content="Open Information Security Foundation"/><meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /> <title>The Open Information Security Foundation - Search</title> <link href="/templates/maximumedia-oisf_2.5/favicon.ico" rel="shortcut icon" type="image/x-icon" /> <link rel="stylesheet" href="/templates/maximumedia-oisf_2.5/css/template.css" type="text/css" /> <link rel="stylesheet" href="/templates/maximumedia-oisf_2.5/css/variations/comboblue.css" type 03/07-22:19:54.786893 [**] [1:120001:0] file_data within/distance test [**] [Priority: 0] {TCP} 96.43.130.5:80 -> 192.168.100.17:38111 However in 2.9.0 with the same config only changing.. dynamicpreprocessor directory and dynamicengine I get the following and no alert. However I do get alert for this rule which matches on HTTP in the first 4 bytes of the response+headers. alert tcp any any -> any any (msg:"file_data within/distance test"; flow:to_client,established; file_data; content:"HTTP"; within:4; sid:120002;) snort-2.9.0$ grep -n "printf" * -r | grep body src/preprocessors/HttpInspect/server/hi_server.c:1202: printf("server response body %s\n",Server->response.body); --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.0 (Build 68) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.12 <Build18>Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Commencing packet processing (pid=15082) server response body HTTP/1.1 200 OK Date: Mon, 08 Mar 2010 03:17:15 GMT Server: X-Powered-By: PHP/5.2.12 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Mon, 08 Mar 2010 03:17:15 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0,pre-check=0Pragma: no-cache Content-Length: 13466 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir="ltr" > <head> <base href="http://www.openinfosecfoundation.org/index.php/component/search/1234567891011 "/> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="robots" content="index, follow" /> <meta name="keywords" content="" /> <meta name="description" content="Open Information Security Foundation"/><meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /> <title>The Open Information Security Foundation - Search</title> <link href="/templates/maximumedia-oisf_2.5/favicon.ico" rel="shortcut icon" type="image/x-icon" /> <link rel="stylesheet" href="/templates/maximumedia-oisf_2.5/css/template.css" type="text/css" /> <link rel="stylesheet" href="/templates/maximumedia-oisf_2.5/css/variations/comboblue.css" type 03/07-22:19:54.361333 [**] [1:120002:0] file_data within/distance test [**] [Priority: 0] {TCP} 96.43.130.5:80 -> 192.168.100.17:38111------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 21)
- Re: Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 22)
- Re: Bug with file_data pointer being set in 2.9.0? Bhagya Bantwal (Oct 27)
- Re: Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 27)
- Re: Bug with file_data pointer being set in 2.9.0? Bhagya Bantwal (Oct 27)
- Re: Bug with file_data pointer being set in 2.9.0? Will Metcalf (Oct 22)