Snort mailing list archives
Re: http_cookie containing the Set-Cookie/Cookie HTTP header element
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 23 Aug 2011 13:25:09 -0400
Fixed in 2.9.1. -- Joel Esler On the phone On Aug 23, 2011, at 12:52, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:
I wrote a while back about how there was a difference in Snort 2.8.6.x vs 2.9.x and the http_cookie buffer did not include the "Cookie:|20|" or "Set-Cookie:|20|" strings in the buffer in the older version but does now. Well, this new behavior is causing some issues for us with signature writing. The issue lies in being able to check if a cookie does not exist as part of a check for a signature. So if we have something like this we need to sig on: HTTP /standardLookingURI.php HTTP/1.1 Host: driveby.co.au.com Referrer: redirection.co.au.com I could have written something like this to work in Snort 2.8.6.x: alert tcp any any -> any any (msg:"Imposter URI with no cookie"; content:"/standardLookingURI.php"; http_uri; content:!"Cookie: "; http_header; sid:1;) But now since the string and the HTTP header element is in the http_cookie buffer in 2.9.x, I can't do that. So I tried things like: alert tcp any any -> any any (msg:"Imposter URI with no cookie"; content:"/standardLookingURI.php"; http_uri; content:!"Cookie: "; http_cookie; sid:1;) But the issue is that when there isn't an http_cookie buffer being created, I can't see a way to test if it isn't there. And I can't test for its absence in http_header as if http_cookie is present, then it is no longer part of http_header. Outside of disabling the enable_cookie option in the config for the http_inspect preprocessor, is there some other way to achieve the desired outcome? -- Eoin ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_cookie containing the Set-Cookie/Cookie HTTP header element Eoin Miller (Aug 23)
- Re: http_cookie containing the Set-Cookie/Cookie HTTP header element Joel Esler (Aug 23)
- Re: http_cookie containing the Set-Cookie/Cookie HTTP header element Eoin Miller (Aug 23)
- Re: http_cookie containing the Set-Cookie/Cookie HTTP header element Joel Esler (Aug 23)