Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer

[Joel Esler <jesler () sourcefire com>]

Can you send me a pcap?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Oct 16, 2012, at 5:18 PM, Mike Cox <mike.cox52 () gmail com> wrote:

> I've noticed that in some multipart/form-data POSTs, data that is normally in the HTTP header gets sent in the body 
> of the message and not parsed by http-inspect as part of the http_header buffer.  Specifically, the headers 
> "Content-Type", "Content-Disposition", and "Content-Transfer-Encoding", although there could be others.  For example:
>
> POST /blackhole/safe.php HTTP/1.1
> Host: snort.org
> Content-Type: multipart/form-data, boundary=---dG91Y2hteXNub3J0
> Content-Length: 8675309
>
> ---dG91Y2hteXNub3J0
> Content-Disposition: form-data; name="name"
>
> Joshua
> ---dG91Y2hteXNub3J0
> Content-Disposition: form-data; name="play_a_game"
>
> True
> ---dG91Y2hteXNub3J0
> Content-Disposition: form-data; name="file"; filename="GLOBAL_THERMONUCLEAR_WAR.pdf"
> Content-Type: application/pdf
> Content-Transfer-Encoding: binary
> ...
>
> So a snort rule looking for a specific filename in a Content-Disposition header wouldn't match if it were written as 
> you would expect it to be written.  For example, this wouldn't match the above:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bad PDF File Upload"; flow:established,to_server; 
> content:"Content-Disposition"; http_header; content:"filename="; distance:0; http_header; content:".pdf"; distance:0; 
> within:100; http_header; sid:1234567;)
>
> What is the best way to match this and not incur the overhead of using global content matches?  Is there a plan for 
> the http-inspect pre-processor to account for this?
>
> Thanks.
>
> -Mike Cox
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!