Re: Snorting OPTIONS method

[Gregory D Hough <mr6re9 () execulink com>]

Paul Melson wrote:
> There's a Bleeding Edge rule that does this for the CONNECT method (often
> used to tunnel non-HTTP protocols through a proxy, or proxy off of a
> misconfigured Apache install, etc.)
>
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Proxy
> CONNECT Request"; flow:to_server,established; content:"CONNECT "; depth:8;
> nocase; classtype:bad-unknown; sid:2001675; rev:1;)
>
> Just replace 'CONNECT' with 'OPTIONS' and assign it a new sid (or remove the
> sid if you don't use them in reporting), copy it into your local.rules,
> restart Snort and you should be all set.
>
> PaulM
Thanks Paul,

I sorta already did that with a rule from web-misc by changing SEARCH to 
OPTIONS. I tested it and it does alert when I telnet OPTIONS / HTTP/1.1. 
However, I will not see what Apache returns if anything at all. My logs 
show a code 200 but there is no "Content-Length:", it is void. I guess 
I'm looking for a way to alert on a void "Content-Length:" in the http 
layer between the second and third |0d 0a|.

I looked through some rules hoping to adapt one to this. This one caught 
my eye:

bleeding-policy.rules:alert tcp any any -> any any ( msg:"BLEEDING-EDGE 
HTTP CONNECT Tunnel Attempt"; content:"CONNECT "; nocase; content:"|0d 
0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; 
within:8; nocase; content:!"\:80"; distance:-11; within:4; 
content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; 
content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:443"; 
distance:-12; within:5; flow:to_server,established; 
classtype:misc-activity; sid:2000560; rev:5; )

I find the complexity daunting. I don't understand much about reading 
packets and writing rules. And I don't have a packet yet to reference. 
But I did look around the snort manual and cobbed together this; though 
I don't know how well it will work:

activate tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"EXPERIMENTAL WebDAV options access"; flow:to_server,established; 
content:"OPTIONS "; depth:8; nocase; activates: 1; 
reference:mycrowsauce,2005-0510; classtype:web-application-activity; 
sid:3330001; rev:1;)
dynamic tcp $EXTERNAL_NET any <> $HTTP_SERVERS $HTTP_PORTS 
(activated_by: 1; count: 8;)

It may just be harmless? poking around, but since the server reported 
the source of the latest attempt as its own virtual IP I have to wonder 
if there's more to it. It has been occurring about once a week and I'd 
like to be ready for the next one.

farmer6re9
> -----Original Message-----
> Subject: [Snort-users] Snorting OPTIONS method
>
> Hello Snortsters,
>
> I have been seeing a few OPTIONS method to HTTPD and was wondering if there
> is a rule I could use to grab these packets. The reason is because Apache
> has been giving these requests a code 200 and I want to know what if
> anything is being returned. These are the most recent:
>
> My main concern is with the four requests on May 09 which managed to spoof
> my own IP address. I used telnet to see how Apache would respond locally and
> was given a code 400. Snort doesn't log any of these.
>
>
>
> ----------------------------------------------------


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users