Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Why content and not uricontent?

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 21 Apr 2005 13:05:28 -0400
Holger Mense wrote:


Hi,

thank you for your answer. I thought about it, however, I didn't get it ;)

* Brian <bmc () snort org>:
 


On Tue, Apr 12, 2005 at 11:43:59PM +0200, Holger Mense wrote:
   


Now I am curios. Can someone explain me, if there are any reasons
for using content over uricontent?
     


phf can be exploited via POST as well as GET.  http inspect doesn't
provide a normalized parameter detection method, 
   



I don't understand this. Using uricontent="QALIAS" worked for me, even when 
the string "qalias" used hex encoding. And this part of the URL already 
belongs to the parameter.

 



I think Brian's point is that uricontent doesn't match the parameters to
a HTTP POST command, only the URI itself.

I assume in your testing you were using a GET, not a POST with an
exploiting parameter.

Since in the POST method, the parameter isn't a part of the URI, the
attack string won't be seen by uricontent rules if the attacker uses
this method.

Thus, while using uricontent closes the hole of encoded requests, it
opens the hole of someone using the POST command for the exploit.

On the other hand, content fails to handle encodings, but it does match
both POST and GET requests.

I'd suspect you really want both rules, one to deal with encoded GET
requests, the other to deal with exploits via the POST command.

Or, better yet, a http_inspect hack to allow a "uricontent" equivalent
for POST parameters. (you would want to create a new keyword for this..
) and use two rules, one with uricontent, the other with
"postparametercontent" or whatever.






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: