Re: Problem with http_header content modifier

[Frederico Araujo <araujof () gmail com>]

Just following up on your comments and questions...

> Thanks for your reply, Waldo!
> >     does it work if you use http_raw_header instead?
> >
> > No. I used http_raw_header and disabled fast_pattern:only, and it didn't
> alert.
>
> interesting...
>
> >     what does a packet capture of that packet look like?
> >
> >
> > 13:34:27.679160 IP (tos 0x0, ttl 128, id 24583, offset 0, flags [DF],
> proto TCP
> > (6), length 128)
> >      192.168.134.1.56096 > 192.168.134.138.80: Flags [P.], cksum 0xc44f
> > (correct), seq 2669151629:2669151717, ack 2652066135, win 256, length 88
> >      0x0000:  4500 0080 6007 4000 8006 0c94 c0a8 8601  E...`.@.........
> >      0x0010:  c0a8 868a db20 0050 9f18 058d 9e13 5157  .......P......QW
> >      0x0020:  5018 0100 c44f 0000 4745 5420 2f63 6769  P....O..GET./cgi
> >      0x0030:  2d62 696e 2f74 6573 742d 6367 6920 4854  -bin/test-cgi.HT
> >      0x0040:  5450 2f31 2e31 0d0a 486f 7374 3a20 3139  TP/1.1..Host:.19
> >      0x0050:  322e 3136 382e 3133 342e 3133 380d 0a55  2.168.134.138..*U*
> >      0x0060:  7365 722d 4167 656e 743a 2074 6573 740d *ser-Agent:.test*.
> >      0x0070:  0a41 6363 6570 743a 202a 2f2a 0d0a 0d0a  .Accept:.*/*....
>
> one would think that your rule would find that... at least *if* the user
> agent
> field is considered to be part of the header and is still in the header
> buffer... i tried looking for this information but was unable to find
> anything...
>
> @joel: can we do something to improve the documentation such that eg:
> http_header will contain fields X, Y and Z and possibly give a picture of
> the
> buffer and some data in it? a lot of the example are much too simplistic :(

Without disabling the NIC offload bits, snort can't get the headers
processed when http_header is specified. I tried requests setting other
http headers as well, and none were detected. I don't think it's something
specific to user-agent.

[trim]

everything you show seems like it should work... apparently it is something
> to
> do with the http buffer... can you try using http_uri and see if that
> works? it
> should since both your UA and your URI contain "test"...
I tested and it doesn't work either! This is strange. I wonder how Snort
implements http modifiers... perhaps, the fact that Snort can't properly
perform target-based reassembly is the root cause of the problem here. If
that is the case, then I wish that this issue was highlighted in the
http_inspect documentation.


> remember to restart your snort after editing your rule! that has bitten me
> in
> the arse more times than i care to count :blush:

lol :)


> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!