Snort mailing list archives
Re: Snorting OPTIONS method
From: Gregory D Hough <mr6re9 () execulink com>
Date: Tue, 10 May 2005 20:52:16 -0400
Paul Melson wrote:
There's a Bleeding Edge rule that does this for the CONNECT method (often used to tunnel non-HTTP protocols through a proxy, or proxy off of a misconfigured Apache install, etc.) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Proxy CONNECT Request"; flow:to_server,established; content:"CONNECT "; depth:8; nocase; classtype:bad-unknown; sid:2001675; rev:1;) Just replace 'CONNECT' with 'OPTIONS' and assign it a new sid (or remove the sid if you don't use them in reporting), copy it into your local.rules, restart Snort and you should be all set. PaulM
Thanks Paul,I sorta already did that with a rule from web-misc by changing SEARCH to OPTIONS. I tested it and it does alert when I telnet OPTIONS / HTTP/1.1. However, I will not see what Apache returns if anything at all. My logs show a code 200 but there is no "Content-Length:", it is void. I guess I'm looking for a way to alert on a void "Content-Length:" in the http layer between the second and third |0d 0a|.
I looked through some rules hoping to adapt one to this. This one caught my eye:
bleeding-policy.rules:alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel Attempt"; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:80"; distance:-11; within:4; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:443"; distance:-12; within:5; flow:to_server,established; classtype:misc-activity; sid:2000560; rev:5; )
I find the complexity daunting. I don't understand much about reading packets and writing rules. And I don't have a packet yet to reference. But I did look around the snort manual and cobbed together this; though I don't know how well it will work:
activate tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WebDAV options access"; flow:to_server,established; content:"OPTIONS "; depth:8; nocase; activates: 1; reference:mycrowsauce,2005-0510; classtype:web-application-activity; sid:3330001; rev:1;) dynamic tcp $EXTERNAL_NET any <> $HTTP_SERVERS $HTTP_PORTS (activated_by: 1; count: 8;)
It may just be harmless? poking around, but since the server reported the source of the latest attempt as its own virtual IP I have to wonder if there's more to it. It has been occurring about once a week and I'd like to be ready for the next one.
farmer6re9
-----Original Message----- Subject: [Snort-users] Snorting OPTIONS method Hello Snortsters, I have been seeing a few OPTIONS method to HTTPD and was wondering if there is a rule I could use to grab these packets. The reason is because Apache has been giving these requests a code 200 and I want to know what if anything is being returned. These are the most recent: My main concern is with the four requests on May 09 which managed to spoof my own IP address. I used telnet to see how Apache would respond locally and was given a code 400. Snort doesn't log any of these. ----------------------------------------------------
------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snorting OPTIONS method Gregory D Hough (May 10)
- RE: Snorting OPTIONS method Paul Melson (May 10)
- Re: Snorting OPTIONS method Gregory D Hough (May 10)
- RE: Snorting OPTIONS method Paul Melson (May 10)