Snort mailing list archives
RE: consensus on BASE
From: James Affeld <jamesaffeld () yahoo com>
Date: Thu, 1 Jun 2006 19:38:20 -0700 (PDT)
I love sguil. It makes it easy to get the information you most often want, and possible to get the rest - and it scales to millions of events. --- snort-users-request () lists sourceforge net wrote:
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web,
visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body
'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it
is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. RE: consensus on BASE (John Hally)
2. Snort In-Line on a Linux host running as a
Bridge (Sam Evans)
3. RE: [Snort-devel] Possible Evasion in
http_inspect (Joel Ebrahimi)
--__--__--
Message: 1
From: John Hally <JHally () epnet com>
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] consensus on BASE
Date: Thu, 1 Jun 2006 08:22:16 -0400
I run both BASE and commercial Aanval. Aanval is a
very good console for
the price($99/sensor) and has much more reporting
features and such.
I agree w/the observations of sguil that it can be a
pain to install.
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On
Behalf Of John Newman
Sent: Friday, May 26, 2006 12:44 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] consensus on BASE
Is the consensus that BASE is the best web front-end
for snort out there
(and I mean free, open source stuff)? What are
people's experiences
with sguil (which I realize is not web based).
thanks,
--
John Newman
Systems Administrator, WebXess Inc.
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__--
Message: 2
Date: Thu, 1 Jun 2006 08:52:55 -0600
From: "Sam Evans" <wintrmte () gmail com>
To: "snort-users @lists.sourceforge.net"
<snort-users () lists sourceforge net>
Subject: [Snort-users] Snort In-Line on a Linux host
running as a Bridge
All,
I was wondering if anyone has any documentation on
using Snort In-Line
on a Linux host acting as a bridge? I have never
done this before
(always use ip forwarding) but the project I am on
is requiring that I
bridge.
If anyone can point me in the right direction, I
would appreciate it.
Thx,
Sam
--__--__--
Message: 3
Date: Thu, 1 Jun 2006 09:19:58 -0700
From: "Joel Ebrahimi" <jebrahimi () demarc com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] RE: [Snort-devel] Possible
Evasion in http_inspect
This is a multi-part message in MIME format.
------_=_NextPart_001_01C68597.3A19080F
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
It doesnt appear that the email I sent out prior to
this to both the =
devel list and users list ever made it through
entirely( I see it on the =
marc mirror but I never got it sent to me and it
never seems to have =
made it to users).
Since the bypass is trivial to implement I would
hope that this patch =
could get reviewed by the devel/user community asap.
Reposting yesterdays message below.
----------------------------------------------------------
A large scale Snort evasion has been discovered by Blake Hartstein, a = member of the Demarc Threat Research Team. =20 The evasion technique allows an attack to bypass detection of = "uricontent" rules by adding a carriage return to the end of a URL, = directly before the HTTP protocol declaration. =20 This affects thousands of rules in the standard Snort base rule sets. =20 Due to the seriousness of this vulnerability, we have developed a = working patch for public review. See below. =20 This patch addresses the carriage return bug and should catch the known = evasion attempts but further research needs to be done to determine if = there are any other possible impacts of this bug. The detection for = evasion is turned on by default under all profiles but can also be used = as a server configuration option: =20 -----HTTP Inspect Server Configuration----- =20 non_std_cr <yes|no> =20 This option generates an alert when a non standard carriage return = character is detected in the URI. =20 =20 -----end----- =20 More information including a pre-patched tarball, a simple proof of = concept, and a copy of this patch can be found at=20
http://www.demarc.com/support/downloads/patch_20060531
=20 With the release of this information we have also released a fix to all = our Sentarus customers. If your auto-updates are turned on, then a patch = and all related updates have already been applied, or you can go into = your Sentarus management console and request an immediate update. =20 =20 // Joel=20 =20 Joel Ebrahimi Demarc Security, Inc. jebrahimi () demarc com http://www.demarc.com/ =20 =20 -----Patch for Snort-2.4.4-- =20 diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
---
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
= 2005-03-16 13:52:18.000000000 -0800 +++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
=
2006-05-30 22:54:44.000000000 -0700
@@ -40,6 +40,7 @@
=20
#define URI_END 1
#define NO_URI -1
+#define CR_IN_URI 18=20
#define INVALID_HEX_VAL -1
=20
/**
@@ -455,6 +456,11 @@
return URI_END;
}
=20
+ if(isspace(**ptr) )
+ {
+ return CR_IN_URI;
+ }
+
return NO_URI;
}
=20
@@ -1345,8 +1351,21 @@
*/
break;
}
+ else if(iRet =3D=3D CR_IN_URI)
+ {
+ =
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
+ {
+ =
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
+ NULL, NULL);
+ }
+ break;
+ }
+
+
+
else /* NO_URI */
{
+
/*
** Check for chunk encoding,
because the delimiter =
can
** also be a space, which
would look like a =
pipeline request
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
---
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
= 2004-03-11 14:25:53.000000000 -0800 +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
2006-05-30 10:27:49.000000000 -0700
@@ -64,7 +64,9 @@
{HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
HI_EO_CLIENT_PROXY_USE_STR },
{HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
- HI_EO_CLIENT_WEBROOT_DIR_STR }
+ HI_EO_CLIENT_WEBROOT_DIR_STR },
+ { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
+ HI_EO_CLIENT_CR_IN_URI_STR },
};
=20
static HI_EVENT_INFO =
anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM]
=3D {
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
= 2004-03-11 14:25:53.000000000 -0800 +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
2006-05-25 13:01:08.000000000 -0700
@@ -24,13 +24,14 @@
#define HI_EO_CLIENT_LARGE_CHUNK 15 /* done */
#define HI_EO_CLIENT_PROXY_USE 16 /* done */
#define HI_EO_CLIENT_WEBROOT_DIR 17 /* done */
+#define HI_EO_CLIENT_CR_IN_URI 18 /* done */
=20
/*
** IMPORTANT:
** Every time you add a client event, this number
must be
** incremented.
*/
-#define HI_EO_CLIENT_EVENT_NUM 18
+#define HI_EO_CLIENT_EVENT_NUM 19
=20
/*
** These defines are the alert names for each
event
@@ -71,6 +72,8 @@
"(http_inspect) UNAUTHORIZED PROXY USE
DETECTED"
#define HI_EO_CLIENT_WEBROOT_DIR_STR
\
"(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
+#define HI_EO_CLIENT_CR_IN_URI_STR
\
+ "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
=20
/*
** Anomalous Server Events
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
= 2005-03-16 13:52:18.000000000 -0800 +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
2006-05-30 09:44:18.000000000 -0700
@@ -113,6 +113,7 @@
HTTPINSPECT_CONF_OPT webroot;
HTTPINSPECT_CONF_OPT apache_whitespace;
HTTPINSPECT_CONF_OPT iis_delimiter;
+ HTTPINSPECT_CONF_OPT non_std_cr;
=20
} HTTPINSPECT_CONF;
=20
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c --- =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
= 2005-03-16 13:52:19.000000000 -0800 +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c 2006-05-30 23:00:25.000000000 -0700
@@ -117,6 +117,9 @@
=20
GlobalConf->global_server.non_strict =3D 1;
=20
+ GlobalConf->global_server.non_std_cr.on =3D 1;
+ GlobalConf->global_server.non_std_cr.alert =3D
1;
+
return HI_SUCCESS;
}
=20
@@ -209,6 +212,9 @@
=20
ServerConf->tab_uri_delimiter =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
@@ -279,6 +285,9 @@
=20
ServerConf->non_strict =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
@@ -349,6 +358,9 @@
=20
ServerConf->tab_uri_delimiter =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
diff -Nuar
snort-2.4.4/src/preprocessors/snort_httpinspect.c =
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
--- snort-2.4.4/src/preprocessors/snort_httpinspect.c 2005-08-23 = 08:52:19.000000000 -0700 +++
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
2006-05-30 = 10:33:54.000000000 -0700 @@ -134,6 +134,7 @@ #define GLOBAL_ALERT "no_alerts" #define WEBROOT "webroot" #define TAB_URI_DELIMITER "tab_uri_delimiter" +#define NON_STD_CR "non_std_cr" =20 /* ** Alert subkeywords @@ -1449,6 +1450,15 @@ return iRet; } } + else if(!strcmp(NON_STD_CR, pcToken)) + { + ConfOpt =3D &ServerConf->non_std_cr; + if((iRet =3D ProcessConfOpt(ConfOpt, NON_STD_CR, + ErrorString, ErrStrLen))) + { + return iRet; + } + } else if(!strcmp(IIS_BACKSLASH, pcToken)) { ConfOpt =3D &ServerConf->iis_backslash; @@ -1583,6 +1593,7 @@ PrintConfOpt(&ServerConf->webroot, "Web Root Traversal"); PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace"); PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter"); + PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return"); =20 if(ServerConf->iis_unicode_map_filename) { =20 -----end----- =20-----Original Message----- From: snort-devel-admin () lists sourceforge net=20 [mailto:snort-devel-admin () lists sourceforge net]On Behalf Of=20Jennifer Steffens Sent: Wednesday, May 31, 2006 3:28 PM To: snort-devel () lists sourceforge net Subject: [Snort-devel] Possible Evasion inhttp_inspect=20 Sourcefire is aware of a possible Snort evasionthat exists=20in the http_inspect preprocessor. This evasioncase only=20applies to protected Apache web servers. We haveprepared=20fixes for both the 2.4 and 2.6 branches and willhave fully=20tested releases, including binaries, available forboth on=20Monday, June 5th. =20 =20 Evasion Details: =20 The Apache web server supports special charactersin HTTP=20requests that do not affect the processing of theparticular=20request. The current target-based profiles forApache in the=20http_inspect preprocessor do not properly handlethese=20requests, resulting in the possibility that anattacker can=20bypass detection of rules that use the"uricontent" keyword=20by embedding special characters in a HTTP request. =20 =20 Background Information: =20 It is important to note that this is an evasionand not a=20vulnerability. This means that while it is possible for anattacker to=20bypass detection, Snort sensors and the networksthey protect=20are not at a heightened risk of other attacks. =20 =20 Timeline: =20 Sourcefire has prepared fixes and is currentlyfinalizing a=20complete round of testing to ensure that the fixesnot only=20solve the issue at hand but do not create new bugsas well.=20The following releases, including binaries forLinux and=20Windows deployments, will be available on Monday,June 5th:=20 * Snort v2.4.5 * Snort v2.6.0 final =20 =20 Questions: =20 Any questions regarding these releases can be sentto=20snort-team () sourcefire com. =20 Thanks, Jennifer =20 =20 -- Jennifer S. Steffens Director, Product Management - Snort Sourcefire - Security for the Real World W: 410.423.1930 | C: 202.409.7707 www.sourcefire.com | www.snort.org =20 =20 =20 =20=20 ------_=_NextPart_001_01C68597.3A19080F Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.5.7638.1"> <TITLE>RE: [Snort-devel] Possible Evasion in http_inspect</TITLE> </HEAD> <BODY> <!-- Converted from text/plain format --> <BR> <P><FONT SIZE=3D2>It doesnt appear that the email I sent out prior to = this to both the devel list and users list ever made it through = entirely( I see it on the marc mirror but I never got it sent to me and = it never seems to have made it to users).<BR> Since the bypass is trivial to implement I would hope that this patch = could get reviewed by the devel/user community asap.<BR> Reposting yesterdays message below.<BR>
----------------------------------------------------------<BR>
<BR> A large scale Snort evasion has been discovered by Blake Hartstein, a = member of the Demarc Threat Research Team.<BR> <BR> The evasion technique allows an attack to bypass detection of = "uricontent" rules by adding a carriage return to the end of a = URL, directly before the HTTP protocol declaration.<BR> <BR> This affects thousands of rules in the standard Snort base rule = sets.<BR> <BR> Due to the seriousness of this vulnerability, we have developed a = working patch for public review. See below.<BR> <BR> This patch addresses the carriage return bug and should catch the known = evasion attempts but further research needs to be done to determine if = there are any other possible impacts of this bug. The detection for = evasion is turned on by default under all profiles but can also be used = as a server configuration option:<BR> <BR> -----HTTP Inspect Server Configuration-----<BR> <BR> non_std_cr <yes|no><BR> <BR> This option generates an alert when a non standard carriage return = character is detected in the URI. <BR> <BR> -----end-----<BR> <BR> <BR> More information including a pre-patched tarball, a simple proof of = concept, and a copy of this patch can be found at<BR> <A =
HREF=3D"http://www.demarc.com/support/downloads/patch_20060531";>http://ww=
w.demarc.com/support/downloads/patch_20060531</A><BR>
<BR> With the release of this information we have also released a fix to all = our Sentarus customers. If your auto-updates are turned on, then a patch = and all related updates have already been applied, or you can go into = your Sentarus management console and request an immediate update.<BR> <BR> <BR> // Joel<BR> <BR> Joel Ebrahimi<BR> Demarc Security, Inc.<BR> jebrahimi () demarc com<BR> <A
HREF=3D"http://www.demarc.com/";>http://www.demarc.com/</A><BR>
<BR> <BR> <BR> -----Patch for Snort-2.4.4--<BR> <BR> diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c<BR>
---
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
= 2005-03-16 13:52:18.000000000 -0800<BR> +++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
=
2006-05-30 22:54:44.000000000 -0700<BR>
@@ -40,6 +40,7 @@<BR>
<BR>
#define URI_END 1<BR>
#define NO_URI -1<BR>
+#define CR_IN_URI 18<BR>
#define INVALID_HEX_VAL -1<BR>
<BR>
/**<BR>
@@ -455,6 +456,11 @@<BR>
return URI_END;<BR>
}<BR>
<BR>
+ if(isspace(**ptr) )<BR>
+ {<BR>
+ return CR_IN_URI;<BR>
+ }<BR>
+<BR>
return NO_URI;<BR>
}<BR>
<BR>
@@ -1345,8 +1351,21 @@<BR>
&=
nbsp; */<BR>
&=
nbsp; break;<BR>
&=
nbsp; }<BR>
+ else if(iRet =3D=3D CR_IN_URI)<BR>
+ {<BR>
+
=
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))<BR>
+
{<BR>
+ =
=
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,<BR>
+ =
&=
nbsp;
NULL, = NULL);<BR> + }<BR> + break;<BR> + }<BR> +<BR> +<BR> +<BR>
&=
nbsp; else /* NO_URI */<BR>
&=
nbsp; {<BR>
+<BR>
&=
nbsp; /*<BR>
&=
nbsp; ** Check for chunk = encoding, because the delimiter can<BR>
&=
nbsp; ** also be a = space, which would look like a pipeline request<BR> diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
<BR> ---
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
= 2004-03-11 14:25:53.000000000 -0800<BR> +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
2006-05-30 10:27:49.000000000 -0700<BR>
@@ -64,7 +64,9 @@<BR>
{HI_EO_CLIENT_PROXY_USE, =
HI_EO_LOW_PRIORITY,<BR>
=
HI_EO_CLIENT_PROXY_USE_STR },<BR>
{HI_EO_CLIENT_WEBROOT_DIR,
=
HI_EO_HIGH_PRIORITY,<BR>
-
HI_EO_CLIENT_WEBROOT_DIR_STR =
}<BR>
+
HI_EO_CLIENT_WEBROOT_DIR_STR =
},<BR>
+ { HI_EO_CLIENT_CR_IN_URI,
HI_EO_MED_PRIORITY,<BR>
+
HI_EO_CLIENT_CR_IN_URI_STR =
},<BR>
};<BR>
<BR>
static HI_EVENT_INFO =
anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM]
=3D {<BR>
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h<B=
R> ---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
= 2004-03-11 14:25:53.000000000 -0800<BR> +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
= 2006-05-25 13:01:08.000000000 -0700<BR> @@ -24,13 +24,14 @@<BR> #define HI_EO_CLIENT_LARGE_CHUNK 15 /* = done */<BR> #define HI_EO_CLIENT_PROXY_USE = 16 /* done */<BR> #define HI_EO_CLIENT_WEBROOT_DIR 17 /* = done */<BR> +#define HI_EO_CLIENT_CR_IN_URI 18 = /* done */<BR> <BR> /*<BR> ** IMPORTANT:<BR> ** Every time you add a client event, this number must = be<BR> ** incremented.<BR> */<BR> -#define HI_EO_CLIENT_EVENT_NUM 18<BR> +#define HI_EO_CLIENT_EVENT_NUM 19<BR> <BR> /*<BR> ** These defines are the alert names for each event<BR> @@ -71,6 +72,8 @@<BR> "(http_inspect) UNAUTHORIZED PROXY USE = DETECTED"<BR> #define =
HI_EO_CLIENT_WEBROOT_DIR_STR &nb=
sp;
= \<BR> "(http_inspect) WEBROOT DIRECTORY = TRAVERSAL"<BR> +#define =
HI_EO_CLIENT_CR_IN_URI_STR  =
; =
\<BR> + "(http_inspect) NON-STD CARRIAGE RETURN IN = URI"<BR> <BR> /*<BR> ** Anomalous Server Events<BR> diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h<B=
R> ---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
= 2005-03-16 13:52:18.000000000 -0800<BR> +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
= 2006-05-30 09:44:18.000000000 -0700<BR> @@ -113,6 +113,7 @@<BR> HTTPINSPECT_CONF_OPT webroot;<BR> HTTPINSPECT_CONF_OPT apache_whitespace;<BR> HTTPINSPECT_CONF_OPT iis_delimiter;<BR> + HTTPINSPECT_CONF_OPT non_std_cr;<BR> <BR> } HTTPINSPECT_CONF;<BR> <BR> diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c<BR> --- =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
= 2005-03-16 13:52:19.000000000 -0800<BR> +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c 2006-05-30 23:00:25.000000000 -0700<BR> @@ -117,6 +117,9 @@<BR> <BR> GlobalConf->global_server.non_strict =3D = 1;<BR> <BR> + GlobalConf->global_server.non_std_cr.on =3D = 1;<BR> + GlobalConf->global_server.non_std_cr.alert =3D = 1;<BR> +<BR> return HI_SUCCESS;<BR> }<BR> <BR> @@ -209,6 +212,9 @@<BR> <BR> ServerConf->tab_uri_delimiter =3D 1;<BR> <BR> + ServerConf->non_std_cr.on =3D 1;<BR> + ServerConf->non_std_cr.alert =3D 1;<BR> +<BR> return HI_SUCCESS;<BR> }<BR> <BR> @@ -279,6 +285,9 @@<BR> <BR> ServerConf->non_strict =3D 1;<BR> <BR> + ServerConf->non_std_cr.on =3D 1;<BR> + ServerConf->non_std_cr.alert =3D 1;<BR> +<BR> return HI_SUCCESS;<BR> }<BR> <BR> @@ -349,6 +358,9 @@<BR> <BR> ServerConf->tab_uri_delimiter =3D 1;<BR> <BR> + ServerConf->non_std_cr.on =3D 1;<BR> + ServerConf->non_std_cr.alert =3D 1;<BR> +<BR> return HI_SUCCESS;<BR> }<BR> <BR> diff -Nuar snort-2.4.4/src/preprocessors/snort_httpinspect.c =
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c<BR>
--- snort-2.4.4/src/preprocessors/snort_httpinspect.c 2005-08-23 = 08:52:19.000000000 -0700<BR> +++
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
2006-05-30 = 10:33:54.000000000 -0700<BR> @@ -134,6 +134,7 @@<BR> #define GLOBAL_ALERT = "no_alerts"<BR> #define =
WEBROOT
= "webroot"<BR> #define TAB_URI_DELIMITER "tab_uri_delimiter"<BR> +#define NON_STD_CR "non_std_cr"<BR> <BR> /*<BR> ** Alert subkeywords<BR> @@ -1449,6 +1450,15 @@<BR>
&=
nbsp; return iRet;<BR>
=
}<BR>
}<BR>
+ else
if(!strcmp(NON_STD_CR, =
pcToken))<BR>
+ {<BR>
+
= ConfOpt =3D &ServerConf->non_std_cr;<BR>
+
= if((iRet =3D ProcessConfOpt(ConfOpt, NON_STD_CR,<BR>
+ =
&=
nbsp; &n=
bsp; ErrorString, ErrStrLen)))<BR>
+
=
{<BR>
+ =
return iRet;<BR>
+
=
}<BR>
+ }<BR>
else =
if(!strcmp(IIS_BACKSLASH, pcToken))<BR>
{<BR>
=
ConfOpt =3D &ServerConf->iis_backslash;<BR>
@@ -1583,6 +1593,7 @@<BR>
PrintConfOpt(&ServerConf->webroot, =
"Web Root Traversal");<BR>
=
PrintConfOpt(&ServerConf->apache_whitespace,
"Apache =
WhiteSpace");<BR>
PrintConfOpt(&ServerConf->iis_delimiter, =
"IIS Delimiter");<BR>
+
PrintConfOpt(&ServerConf->non_std_cr, =
"Non-Std Carriage Return");<BR>
<BR>
if(ServerConf->iis_unicode_map_filename)<BR>
{<BR>
<BR>
<BR>
-----end-----<BR>
<BR>
<BR>
<BR>
> -----Original Message-----<BR>
> From:
snort-devel-admin () lists sourceforge net<BR>
> [<A =
HREF=3D"mailto:snort-devel-admin () lists sourceforge net">mailto:snort-deve=
l-admin () lists sourceforge net</A>] On Behalf Of<BR> > Jennifer Steffens<BR> > Sent: Wednesday, May 31, 2006 3:28 PM<BR> > To: snort-devel () lists sourceforge net<BR> > Subject: [Snort-devel] Possible Evasion in http_inspect<BR> ><BR> > Sourcefire is aware of a possible Snort evasion that exists<BR> > in the http_inspect preprocessor. This evasion case only<BR> > applies to protected Apache web servers. We have prepared<BR> > fixes for both the 2.4 and 2.6 branches and will have fully<BR> > tested releases, including binaries, available for both on<BR> > Monday, June 5th.<BR> ><BR> ><BR> > Evasion Details:<BR> ><BR> > The Apache web server supports special characters in HTTP<BR> > requests that do not affect the processing of the particular<BR> > request. The current target-based profiles for Apache in = the<BR> > http_inspect preprocessor do not properly handle these<BR> > requests, resulting in the possibility that an attacker can<BR> > bypass detection of rules that use the "uricontent" = keyword<BR> > by embedding special characters in a HTTP request.<BR> ><BR> ><BR> > Background Information:<BR> ><BR> > It is important to note that this is an evasion and not a<BR> > vulnerability.<BR> > This means that while it is possible for an attacker to<BR> > bypass detection, Snort sensors and the networks they protect<BR> > are not at a heightened risk of other attacks.<BR> ><BR> ><BR> > Timeline:<BR> ><BR> > Sourcefire has prepared fixes and is currently finalizing a<BR> > complete round of testing to ensure that the fixes not only<BR> > solve the issue at hand but do not create new bugs as well.<BR> > The following releases, including binaries for Linux and<BR> > Windows deployments, will be available on Monday, June 5th:<BR> ><BR> > * Snort v2.4.5<BR> > * Snort v2.6.0 final<BR> ><BR> ><BR> > Questions:<BR> ><BR> > Any questions regarding these releases can be sent to<BR> > snort-team () sourcefire com.<BR> ><BR> > Thanks,<BR> > Jennifer<BR> ><BR> ><BR> > --<BR> > Jennifer S. Steffens<BR> > Director, Product Management - Snort<BR> > Sourcefire - Security for the Real World<BR> > W: 410.423.1930 | C: 202.409.7707<BR> > www.sourcefire.com | www.snort.org<BR> ><BR> ><BR> ><BR> ><BR> <BR> <BR> <BR> <BR> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C68597.3A19080F-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- consensus on BASE John Newman (May 26)
- Re: consensus on BASE Paul Schmehl (May 26)
- <Possible follow-ups>
- RE: consensus on BASE Drew Burchett (May 27)
- Re: consensus on BASE Bamm Visscher (May 27)
- RE: consensus on BASE Michael Scheidell (May 27)
- Re: consensus on BASE Bamm Visscher (May 27)
- RE: consensus on BASE John Hally (Jun 01)
- RE: consensus on BASE James Affeld (Jun 01)