Snort mailing list archives
Re: shouldn't snort redefine uricontent to handle proxies?
From: Matt Olney <molney () sourcefire com>
Date: Mon, 21 Sep 2009 08:14:32 -0500
As an aside, if you're going to use the uricontent keyword, which depends on the functionality of http_inspect, make sure you add that port to the http_inspect configuration. Matt Olney On Mon, Sep 21, 2009 at 7:41 AM, Jason Brvenik <jbrvenik () sourcefire com> wrote:
Running _ON_ the proxy. I immediately suspect bad checksums from checksum offloading. -- From the road On Sep 20, 2009, at 10:53 PM, Matt Olney <molney () sourcefire com> wrote:um......maybe I'm missing something...but a uircontent for /virus.exe will find /viruse.exe anywhere in the normalized buffer. And....that thing you wanted snort to do, about normalizing out the front bits....that's what it does...with the http_inspect preprocesor. So I >THINK< something else is wrong here. Matt Olney On Sun, Sep 20, 2009 at 10:28 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:Hi there We're trying to run snort on proxy servers so that we can pick up infected internal hosts directly (instead of having snort further out and only catching the proxy IP), and find that it doesn't work without rewriting a lot of rules. e.g. alert tcp $HOME -> $EXTERNAL 80 (msg:"http rule"; uricontent:"/virus.exe";distance:0) doesn't work when it's via a proxy as uricontent is now "http://site.name/virus.exe";. There are a lot of rules that contain "uricontent.*distance:0", so I was wondering what would be the downside of the snort http preprocessor normalizing out the front bit of the URLs? As an aside, most/all web servers map "GET http://my.name/uri"; to "GET /uri" anyway - so from what I can see that is also been missed as it is? This is under 2.8.4. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- shouldn't snort redefine uricontent to handle proxies? Jason Haar (Sep 20)
- Re: shouldn't snort redefine uricontent to handle proxies? Matt Olney (Sep 20)
- Re: shouldn't snort redefine uricontent to handle proxies? Jason Haar (Sep 20)
- Re: shouldn't snort redefine uricontent to handle proxies? Jason Haar (Sep 20)
- Message not available
- Re: shouldn't snort redefine uricontent to handle proxies? Matt Olney (Sep 21)
- Re: shouldn't snort redefine uricontent to handle proxies? Jason Haar (Sep 20)
- Re: shouldn't snort redefine uricontent to handle proxies? Matt Olney (Sep 20)