Snort mailing list archives
Re: [snort preprocessor]http_inspect cannot identify urlencoded content
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 4 Jul 2016 18:56:40 +0000
Are you sure the destination address in your rule is correct? There isnt anything in the pcap from 192.168.48.140. Shouldnt it be 192.168.2.111 instead of 192.168.48.140? If I change the address in your rule it alerts. See below: cliffjumper$ ./bin/snort -c etc/MAXIM.conf -r etc/MAXIM.pcapng -Acmg -H -U -k none -q 07/04-02:59:02.844050 [**] [1:9100000:1] test urlencoded content. [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.2.139:56961 -> 192.168.2.111:80 Stream reassembled packet 07/04-02:59:02.844050 B0:C0:90:51:83:6C -> C8:1F:66:DB:CA:26 type:0x800 len:0x24C 192.168.2.139:56961 -> 192.168.2.111:80 TCP TTL:64 TOS:0x0 ID:23068 IpLen:20 DgmLen:574 DF ***A**** Seq: 0x4D757BEC Ack: 0x438BE909 Win: 0x7680 TcpLen: 20 47 45 54 20 2F 69 64 3D 68 65 6C 6C 6F 77 6F 72 GET /id=hellowor 6C 64 25 32 30 25 36 31 25 36 45 25 36 34 25 32 ld%20%61%6E%64%2 30 25 33 31 25 33 44 25 33 32 25 32 30 25 37 35 0%31%3D%32%20%75 25 34 45 25 36 39 25 36 46 25 36 45 25 32 30 25 %4E%69%6F%6E%20% 35 33 25 36 35 25 36 43 25 34 35 25 36 33 25 37 53%65%6C%45%63%7 34 25 32 30 25 33 31 25 32 43 25 33 32 25 32 43 4%20%31%2C%32%2C 25 33 33 25 32 43 25 33 34 25 32 43 25 33 35 25 %33%2C%34%2C%35% 32 43 25 36 33 25 36 46 25 36 45 25 36 33 25 36 2C%63%6F%6E%63%6 31 25 37 34 25 32 38 25 33 30 25 37 38 25 33 34 1%74%28%30%78%34 25 33 30 25 33 37 25 33 34 25 33 36 25 33 38 25 %30%37%34%36%38% 33 36 25 33 35 25 33 37 25 33 33 25 33 37 25 33 36%35%37%33%37%3 34 25 33 36 25 33 31 25 33 37 25 33 32 25 33 37 4%36%31%37%32%37 25 33 34 25 32 43 25 34 33 25 36 46 25 37 35 25 %34%2C%43%6F%75% 36 45 25 37 34 25 32 38 25 32 41 25 32 39 25 32 6E%74%28%2A%29%2 43 25 33 30 25 37 38 25 33 34 25 33 30 25 33 37 C%30%78%34%30%37 25 33 34 25 33 36 25 33 38 25 33 36 25 33 35 25 %34%36%38%36%35% 33 36 25 33 35 25 33 36 25 34 35 25 33 36 25 33 36%35%36%45%36%3 34 25 32 39 25 32 43 25 33 37 25 32 43 25 33 38 4%29%2C%37%2C%38 25 32 43 25 33 39 25 32 43 25 33 31 25 33 30 25 %2C%39%2C%31%30% 32 30 25 36 36 25 37 32 25 36 46 25 36 44 25 32 20%66%72%6F%6D%2 30 25 36 39 25 36 45 25 36 36 25 36 46 25 37 32 0%69%6E%66%6F%72 25 36 44 25 36 31 25 37 34 25 36 39 25 36 46 25 %6D%61%74%69%6F% 36 45 25 35 46 25 37 33 25 36 33 25 36 38 25 36 6E%5F%73%63%68%6 35 25 36 44 25 36 31 25 32 45 25 37 34 25 36 31 5%6D%61%2E%74%61 25 36 32 25 36 43 25 36 35 25 37 33 25 32 33 20 %62%6C%65%73%23 48 54 54 50 2F 31 2E 31 0D 0A 43 6F 6E 74 65 6E HTTP/1.1..Conten 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D t-Type: text/htm 6C 0D 0A 48 6F 73 74 3A 20 31 39 32 2E 31 36 38 l..Host: 192.168 2E 32 2E 31 31 31 0D 0A 41 63 63 65 70 74 3A 20 .2.111..Accept: 74 65 78 74 2F 68 74 6D 6C 2C 20 2A 2F 2A 0D 0A text/html, */*.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 33 2E 30 20 28 63 6F 6D 70 61 74 69 lla/3.0 (compati 62 6C 65 3B 20 49 6E 64 79 20 4C 69 62 72 61 72 ble; Indy Librar 79 29 0D 0A 0D 0A y).... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Email: allewi () cisco com<mailto:allewi () cisco com> From: Maxim <hittlle () 163 com<mailto:hittlle () 163 com>> Date: Sunday, July 3, 2016 at 11:38 PM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] [snort preprocessor]http_inspect cannot identify urlencoded content Hi all, I have a website attack tool that encodes HTTP request parameters with urlencode library, and I want snort to capture and normalize the urlencoded content. I enabled http_inspect preprocessor in snort.conf as follows: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 max_gzip_mem 104857600 preprocessor http_inspect_server: server default profile all ports { 80 8081 } http_methods { GET POST PUT DELETE HEAD } and prepared the corresponding rule as below: alert tcp any any -> 192.168.48.140 80 (content: "union"; http_uri; nocase; msg:"test urlencoded content."; classtype: web-application-attack;flowbits: isnotset, 9100000; flowbits: set, 9100000; flow: from_client; tag: session,exclusive; sid: 9100000; rev:1) They keyword "union" is urlencoded in the parameter part of the http request generated by the attack tool. Then I used the tool to trigger the attack as follows GET /id=test%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23 HTTP/1.1 Content-Type: text/html Host: 192.168.2.111 Accept: text/html, */* User-Agent: Mozilla/3.0 (compatible; Indy Library) The normalized form of "%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23" in the above request is "/id=test and 1=2 uNion SelEct 1,2,3,4,5,concat(0x407468657374617274,Count(*),0x40746865656E64),7,8,9,10 from information_schema.tables#". As you can see, the rule SHOULD match the request and trigger a alert, but it didn't. My snort version information and the pcap file are attacked below. ,,_ -*> Snort! <*- o" )~ Version 2.9.6.0 GRE (Build 47) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.8 Am I missing anything? Any guidance would be highly appreciated. Thanks. Regards Hittlle [X]
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [snort preprocessor]http_inspect cannot identify urlencoded content Maxim (Jul 03)
- Re: [snort preprocessor]http_inspect cannot identify urlencoded content Al Lewis (allewi) (Jul 04)