Snort mailing list archives
Re: Feasibility of bogus cookie checking
From: Daniel Shepherd <shepdelacreme () gmail com>
Date: Thu, 31 Mar 2011 15:45:01 -0400
On Thu, Mar 31, 2011 at 3:18 PM, Lay, James <james.lay () wincofoods com> wrote:
Bleh…looks like this may not be such a hot idea….been ngrepping today: sudo ngrep -d eth5 -q '\<Cookie\>.*\Expires\>' ip and port 80 T 74.125.227.0:80 -> int.ip:42586 [AP] HTTP/1.1 200 OK..Set-Cookie: NID=*removed* expires=Fri, 30-Sep-2011 19:13:37 GMT; path=/; domain =.google.com; HttpOnly..Cache-Control: no-cache, private, must-revalidate ..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Content-Type: image/gif..Date: Thu, 31 Mar 2011 19:13:37 GMT..Server: zwbk..Content-Le ngth: 43..X-XSS-Protection: 1; mode=block....GIF89a.............!......., ...........D..; I’m no cookie expert…this looks like the cookie itself expires in September…not sure what the other portion is…that 01 Jan 1990 would probably fire a lot of FP’s L (considering this is from google) Ah well…back to the drawing board ;)
The second "Expires:" field is related to cache control. Per RFC if the value in that field is <= to the date of the actual response then the page/object/whatever "should" not be cached. You could write the rule and constrain the content match to "http_cookie" right? Then it shouldn't false on the "Expires:" field in the header.
James From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, March 31, 2011 12:32 PM To: Lay, James Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Feasibility of bogus cookie checking Interesting that is. The Regex would be horrible to do for proper detection, but it could be done. Joel On Thu, Mar 31, 2011 at 12:02 PM, Lay, James <james.lay () wincofoods com> wrote: Team, So…seen a couple surprises this morning…one of which was a hit to a pharm site…the pcap shows something interesting though: HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Thu, 31 Mar 2011 14:05:09 GMT Content-Type: text/html; charset=ISO-8859-1 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=4u250jlgq57p0c51k2p3beg5n6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent What caught my attention was the Expired entry….like WAY in the past. Would it be feasible to create a rule based on cookie expiration dates in the past? Thoughts welcome…thanks. James ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feasibility of bogus cookie checking Lay, James (Mar 31)
- Re: Feasibility of bogus cookie checking Joel Esler (Mar 31)
- Re: Feasibility of bogus cookie checking Russ Combs (Mar 31)
- Re: Feasibility of bogus cookie checking Lay, James (Mar 31)
- Re: Feasibility of bogus cookie checking Daniel Shepherd (Mar 31)
- Re: Feasibility of bogus cookie checking Joel Esler (Mar 31)