Snort mailing list archives
issues with 2011033 - ET SCAN HTTP HEAD invalid method case
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Mon, 31 Jan 2011 15:37:33 -0600
Hello snorters. I am seeing alerts from this rule: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head"; http_method; nocase; content:!"HEAD"; http_method; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Invalid_Method; sid:2011033; rev:7;) But I go back and look at the logged packed by snort and only see this: ----- 08:53:54.207874 IP s.r.f.r.46691 > s.u.x.s.80: R 2457731972:2457733232(1260) ack 1077321784 win 32768 E...c........QQS...^M...P.~..@6.8P...lq.. 0px 5px 5px; border-right: 2px dotted #cbcbcb; color: #558800;} #globalMiscContent {float: left; margin-top: 3px} #globalSearch {float: left; width:225px; height: 35px; margin: 5px 0px 5px 10px; color: #558800 /*#568900*/} #globalSearchContent {float: left; margin-top: 7px} #pageBrandingLarge {float: left; width: 671px; height:205px; background-color:#e2e2e2; border-top: 1px solid #ffffff;} #pageBrandingSmall {float: left; width: 671px; height:33px; background-color:#e2e2e2; border-top: 1px solid #ffffff;} #pageLogin {float: left; width: 223px; height:239px; background-color:#f2f2f2; border-top: 1px solid #ffffff;border-right: 1px solid #ffffff;} #loginHeader {height: 28px; background-color: #88bb00; padding-top: 8px;} .loginHeaderText {font-size: 16px; color: #fff; font-weight: bold; margin-left: 15px;} #loginContent { font-size: 12px; color: #444; margin: 10px 15px;} #loginContent a:link,#loginContent a:visited {color:#558800; font-size: 11px; font-weight: normal;} #loginContent a:hover,#loginContent a:active {color:#558800; font-size: 11px; text-decoration: underline;} .loginItem {background:url(img/arrowGray_Small.gif) no-repeat left; text-indent: 7px; color:#558800; margin: 4px 0px 3px 0px; } #pageBrandingTop {he ----- I am on the latest snort version, 2.9.0.3 and I compiled w/ gzip support and I have the http_inspect preprocessor enabled. From snort.conf: ----- preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: \ server default \ apache_whitespace no \ ascii no \ bare_byte no \ chunk_length 500000 \ flow_depth 1460 \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ non_strict \ oversize_dir_length 500 \ ports { 80 8080 8180 3128 } \ u_encode yes \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ webroot no \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ enable_cookie \ extended_response_inspection \ inspect_gzip ----- Looking at the snort rule, it looks sound but it appears the appropriate HTTP buffers (e.g. http_method) are not getting populated correctly. Is this the case? I know the HTTP preprocessor has had some recent changes and has had *a lot* of issues in the past so I'm curious if this is a known bug and being worked on. I am copying the EmergingThreats list too in case others are having problems and can help out. Thanks. -L0rd C. ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- issues with 2011033 - ET SCAN HTTP HEAD invalid method case L0rd Ch0de1m0rt (Jan 31)
- Re: [Emerging-Sigs] issues with 2011033 - ET SCAN HTTP HEAD invalid method case Matthew Jonkman (Jan 31)