Snort mailing list archives

Re: [AUTO IP] Re: Question about content

From: Matt Olney <molney () sourcefire com>
Date: Tue, 1 Dec 2009 14:29:53 -0500

One of the list members asked a question about why I chose to add the
"nocase" modifier the http_method content match.  I thought it was a
pretty quality question, so I'm pasting my answer here:

"We constrain to buffers, in this case the http_method buffer, to avoid
false positives and to increase the speed of detection.  This is
because the data in the buffer is shorter and we know that we're
looking in that data.

We nocase to avoid false negatives.  For example:

[molney@vrt-app-01 ~]$ telnet www.sourcefire.com 80
Trying 68.177.102.22...
Connected to www.sourcefire.com (68.177.102.22).
Escape character is '^]'.
get
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>

We spend a lot of time working out evasion cases.  It is very, very
trivial in many cases to subtly adjust the attack to work with the
server and bypass detection.  This involves a lot of core body
knowledge in the protocols (bmc and phoo are
particularly strong in this area) and some testing.

An interesting aside:

[molney@vrt-app-01 whitehat]$ telnet www.sourcefire.com 80
Trying 68.177.102.22...
Connected to www.sourcefire.com (68.177.102.22).
Escape character is '^]'.
gEt
<html><body><h1>500 Internal Server Error</h1></body></html>Connection
closed by foreign host.
[molney@vrt-app-01 whitehat]$ telnet www.sourcefire.com 80
Trying 68.177.102.22...
Connected to www.sourcefire.com (68.177.102.22).
Escape character is '^]'.
Get
<html><body><h1>500 Internal Server Error</h1></body></html>Connection
closed by foreign host.

We never trust a server to behave in the manner that the RFCs require,
nor do we anticipate that clients will only act in the manner the RFCs
outline.  In fact, our experience shows that there are very few
circumstances where vendors are completely RFC compliant and RFC
restricted.

Hope that answers your question,

Matt"

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Re: Question about content, (continued)
- - Re: Question about content Matt Olney (Dec 01)
    - Re: Question about content evilghost () packetmail net (Dec 01)
    - Re: Question about content Nigel Houghton (Dec 01)
    - Re: Question about content Chris Jacob (Dec 01)
    - Re: Question about content Matt Olney (Dec 01)
    - Re: Question about content evilghost () packetmail net (Dec 01)
    - Re: Question about content Alex Kirk (Dec 01)
    - Re: Question about content Paul Schmehl (Dec 01)
    - Re: [AUTO IP] Re: Question about content evilghost () packetmail net (Dec 01)
    - Re: [AUTO IP] Re: Question about content Paul Schmehl (Dec 01)
    - Re: [AUTO IP] Re: Question about content Matt Olney (Dec 01)
    - Re: [AUTO IP] Re: [AUTO IP] Re: Question about content evilghost () packetmail net (Dec 01)