Snort mailing list archives
RE: uricontent option in 1.9 vs 1.8.6
From: David Gordon <dgordon () mmwec org>
Date: Wed, 26 Feb 2003 09:18:37 -0500
Thanks. I guess I don't understand why this would be a false positive. The Arachnids description states the following:
URI Content: ".ida?" The packet offset is zero, meaning that we start looking for this content string in the start of the packet data. This is a case sensitive search.
In my case, ".ida?" does in fact show up in the packet data. Perhaps I don't understand the difference between content and uricontent. I thought that "content" would be anything in the payload of any TCP packet and that "uricontent" would be the result of the http_decode preprocessor reassembling (and de-obfuscating) packets to port 80 (or whatever ports are defined as being used for http). Wouldn't the content of this packet also be uricontent? I would appreciate any guidance you can give me to understand this better.
-----Original Message----- From: Joe McAlerney [mailto:joey () SiliconDefense com] Sent: Tuesday, February 25, 2003 6:57 PM To: David Gordon Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] uricontent option in 1.9 vs 1.8.6 David, I believe this is a result of Snort 1.8 improperly searching for uricontent, generating a false positive. 1.9 fixes this by searching for the content string within the bounds of the URI [1]. In this case, the payload doesn't contain a scheme (HTTP), or "://" for HTTP. The same is true if the content was located in the referrer part of a HTTP request. Hope this helps, -Joe M. -- Joe McAlerney Silicon Defense - The Cyber-War Defense Company [1] http://www.ietf.org/rfc/rfc2396.txt David Gordon wrote:Can someone please explain to me why the rule for sid 1242acts differentlyin snort 1.8.6 vs. snort 1.9? The following rule was used in snort 1.8.6: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552;classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; rev:2;) This is the corresponding rule in snort 1.9: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS(msg:"WEB-IIS ISAPI.ida access"; uricontent:".ida"; nocase; flow:to_server,established; reference:arachnids,552;classtype:web-application-activity; reference:cve,CAN-2000-0071; reference:bugtraq,1065; sid:1242; rev:6;) The following packet generates an alert when running Snort1.8.6, but notSnort 1.9 02/16-02:18:38.582833 217.234.56.78:3306 -> 123.456.78.90:80 TCP TTL:112 TOS:0x0 ID:43759 IpLen:20 DgmLen:1492 DF ***AP*** Seq: 0xAEAD8723 Ack: 0xB2DB3D32 Win: 0x4410 TcpLen: 20 /default.ida?N If the 1.9 rule is modifed as follows (changing uricontentto content andremoving the "flow" option) it generates an alert in snort 1.9. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS(msg:"WEB-IIS ISAPI.ida access"; content:".ida"; nocase; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; reference:bugtraq,1065; sid:1242; rev:6;) I know that http_decode must be running for the uricontentoption to work. Ibelieve that the following portion of output when I runsnort 1.9 indicatesthat http_decode is running: http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 Any help would be much appreciated. I'm worried that sinceI upgraded toSnort 1.9 this is affecting how other rules are processed as well. Perhaps what I need to understand is what the URI portionof a request isand how Snort finds it, so any direction you can give methere would beappreciated as well. Thanks. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 25)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)
- Advice from the experts Mike Koponick (Feb 25)
- Re: Advice from the experts twig les (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- Advice from the experts Mike Koponick (Feb 25)
- <Possible follow-ups>
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)