Snort mailing list archives
Re: Matching http_cookie content
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Mon, 8 Apr 2024 02:02:50 +0000
Using your script, if the http_cookie keyword is added it alerts. Files used are attached. box20@box20:/var/tmp/snort3-20240404$ ./bin/snort -c etc/snort/log4j.lua -R etc/snort/log4j.rules -r ~/Downloads/log4j-script.pcap -Acsv -k none -q 04/07-21:35:08.151273, 8, TCP, stream_tcp, 109, C2S, 210.210.210.6:41932, 210.210.210.5:3000, 1:58726:6, allow alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( \ msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; \ flow:to_server,established; \ http_cookie; content:"jndi",fast_pattern,nocase; \ http_cookie; \ content:"jndi",nocase; \ pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i"; \ metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; \ service:http; \ reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58726; rev:6; ) Albert Lewis Email: allewi () cisco com<mailto:allewi () cisco com> ________________________________ From: Al Lewis (allewi) <allewi () cisco com> Sent: Thursday, April 4, 2024 4:27 PM To: Alex Tatistcheff <alext () pobox com>; Stephen Reese <rsreese () gmail com> Cc: snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Matching http_cookie content This may have been asked/answered already (if so sorry) ... Do you have a pcap of the traffic? Is the content there? Based on that script where is the "jdni" in the body of the get request? You can add something like this into your conf to see the buffer/pattern matching attempts trace = { modules = { all = 255, snort = { all = 255 } } } If I start taking the rule apart, I can see it match in the cookie but then move on and miss other matches. P0:detection:rule_eval:1: Reached leaf, cursor name http_cookie, cursor position 0 http_inspect.stream_tcp[12]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6A 6E 64 69 3D 24 7B 6A 6E 64 69 3A jndi=${j ndi: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - P0:detection:rule_eval:1: Matched rule gid:sid:rev 1:58726:6 I suspect the jdni / content is missing in the payload of your get request. ________________________________ From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Stephen Reese via Snort-sigs <snort-sigs () lists snort org> Sent: Wednesday, April 3, 2024 8:25 AM To: Alex Tatistcheff <alext () pobox com> Cc: snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Matching http_cookie content On Fri, May 12, 2023 at 10:29 AM Alex Tatistcheff <alext () pobox com<mailto:alext () pobox com>> wrote: I would first simplify the Talos rule until you get it to alert. Then add keywords back in until you find the culprit. Unless you've done this you dont know what part of the rule is not matching. Thanks, I do not have an issue generating requests using the Scapy or sockets library for most rules, it's a handful of rules related to http_cookie and http_client_body that are troublesome. The pattern I see in the rules I am unable to trigger is related to rules having a content option defined twice whereas other rules only have the content option once.
Attachment:
log4j-script.pcap
Description: log4j-script.pcap
Attachment:
log4j.lua
Description: log4j.lua
Attachment:
log4j.rules
Description: log4j.rules
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 04)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 04)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 07)
- Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Joel Esler via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 07)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 04)