Re: Problem with http_header content modifier

[waldo kitty <wkitty42 () windstream net>]

On 07/10/2015 01:43 PM, Frederico Araujo wrote:
> Thanks for your reply, Waldo!
>
>     does it work if you use http_raw_header instead?
>
> No. I used http_raw_header and disabled fast_pattern:only, and it didn't alert.

interesting...

>     what does a packet capture of that packet look like?
>
>
> 13:34:27.679160 IP (tos 0x0, ttl 128, id 24583, offset 0, flags [DF], proto TCP
> (6), length 128)
>      192.168.134.1.56096 > 192.168.134.138.80: Flags [P.], cksum 0xc44f
> (correct), seq 2669151629:2669151717, ack 2652066135, win 256, length 88
>      0x0000:  4500 0080 6007 4000 8006 0c94 c0a8 8601  E...`.@.........
>      0x0010:  c0a8 868a db20 0050 9f18 058d 9e13 5157  .......P......QW
>      0x0020:  5018 0100 c44f 0000 4745 5420 2f63 6769  P....O..GET./cgi
>      0x0030:  2d62 696e 2f74 6573 742d 6367 6920 4854  -bin/test-cgi.HT
>      0x0040:  5450 2f31 2e31 0d0a 486f 7374 3a20 3139  TP/1.1..Host:.19
>      0x0050:  322e 3136 382e 3133 342e 3133 380d 0a55  2.168.134.138..*U*
>      0x0060:  7365 722d 4167 656e 743a 2074 6573 740d *ser-Agent:.test*.
>      0x0070:  0a41 6363 6570 743a 202a 2f2a 0d0a 0d0a  .Accept:.*/*....

one would think that your rule would find that... at least *if* the user agent 
field is considered to be part of the header and is still in the header 
buffer... i tried looking for this information but was unable to find anything...

@joel: can we do something to improve the documentation such that eg: 
http_header will contain fields X, Y and Z and possibly give a picture of the 
buffer and some data in it? a lot of the example are much too simplistic :(

>     lastly, i see you are using $EXTERNAL_NET and $HOME_NET and your snort is on a
>     NATed VM...
>
>     is your snort looking at the raw unNATed data on the outside interface of
>     your VM?
>
>
> Good question. How do I check that? This is how I'm starting snort:

TBH, i'm not sure :lol:  on a firewall product i work with, the snort 
implementation sees all transactions before iptables gets in the way... this 
because it watches the raw WAN interface directly... since it is a NATing 
firewall, everything appears to be inbound to or outbound from the WAN IP 
address... there are numerous internal interfaces to support numerous internal 
networks but we don't currently run snort on those due to the target market and 
hardware and memory consumption needed with numerous snorts running at the same 
time...

[trim]

>     what are the contents of your $EXTERNAL_NET and $HOME_NET along with your
>     testing IP and your snort's IP?
>
> I think it does encompass the IP, because my simple ICMP and TCP rules (without
> http_header) work just fine.
> EXTERNAL_NET = any
> HOME_NET = 192.168.134.138 (I also tested with 192.168.134.0/24
> <http://192.168.134.0/24>)
> testing IP = 192.168.134.1 (host)
> snort IP = 192.168.134.138 (VM where snort is installed)

everything you show seems like it should work... apparently it is something to 
do with the http buffer... can you try using http_uri and see if that works? it 
should since both your UA and your URI contain "test"...

remember to restart your snort after editing your rule! that has bitten me in 
the arse more times than i care to count :blush:

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!