Snort mailing list archives
Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 16 Oct 2012 17:51:50 -0400
Can you send me a pcap? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 16, 2012, at 5:18 PM, Mike Cox <mike.cox52 () gmail com> wrote:
I've noticed that in some multipart/form-data POSTs, data that is normally in the HTTP header gets sent in the body of the message and not parsed by http-inspect as part of the http_header buffer. Specifically, the headers "Content-Type", "Content-Disposition", and "Content-Transfer-Encoding", although there could be others. For example: POST /blackhole/safe.php HTTP/1.1 Host: snort.org Content-Type: multipart/form-data, boundary=---dG91Y2hteXNub3J0 Content-Length: 8675309 ---dG91Y2hteXNub3J0 Content-Disposition: form-data; name="name" Joshua ---dG91Y2hteXNub3J0 Content-Disposition: form-data; name="play_a_game" True ---dG91Y2hteXNub3J0 Content-Disposition: form-data; name="file"; filename="GLOBAL_THERMONUCLEAR_WAR.pdf" Content-Type: application/pdf Content-Transfer-Encoding: binary ... So a snort rule looking for a specific filename in a Content-Disposition header wouldn't match if it were written as you would expect it to be written. For example, this wouldn't match the above: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bad PDF File Upload"; flow:established,to_server; content:"Content-Disposition"; http_header; content:"filename="; distance:0; http_header; content:".pdf"; distance:0; within:100; http_header; sid:1234567;) What is the best way to match this and not incur the overhead of using global content matches? Is there a plan for the http-inspect pre-processor to account for this? Thanks. -Mike Cox ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 16)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 16)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer lists () packetmail net (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer lists () packetmail net (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 16)