Snort mailing list archives

BUG: corner case involving http_cookie

From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 9 Mar 2010 22:15:06 -0600

failing to use the http_cookie modifier on a rule where there is
another rule that matches the same packet makes a rule that should
fire fail.

src/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.3 (Build 124)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05


src/snort -k none -q -A console -c etc/snort.conf -l ./ -r oisfsearchnums.pcap

#this combo works
#alert tcp any any -> any any (msg:"http_client_body";
content:"searchword="; uricontent:"/index.php"; nocase;
classtype:bad-unknown; sid:59; rev:1;)
#alert tcp any any -> any any (msg:"http_cookie match ";
content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
http_cookie; classtype:bad-unknown; sid:68; rev:1;)
#
#03/07-21:19:54.242506  [**] [1:59:1] http_client_body [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80
#03/07-21:19:54.242506  [**] [1:68:1] http_cookie match  [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80
#03/07-21:19:54.364173  [**] [1:68:1] http_cookie match  [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80

#the second rule does not fire
#alert tcp any any -> any any (msg:"http_client_body + depth";
content:"searchword="; uricontent:"/index.php"; nocase;
classtype:bad-unknown; sid:59; rev:1;)
#alert tcp any any -> any any (msg:"http_cookie match";
content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
classtype:bad-unknown; sid:68; rev:1;)
#
#03/07-21:19:54.242506  [**] [1:59:1] http_client_body + depth [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80

#this rule fires when used on it's own.
#alert tcp any any -> any any (msg:"http_cookie match";
content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
classtype:bad-unknown; sid:68; rev:1;)
#
#03/07-21:19:54.242506  [**] [1:68:1] http_cookie match [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80
#03/07-21:19:54.364173  [**] [1:68:1] http_cookie match [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80

Attachment: oisfsearchnums.pcap
Description:

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

BUG: corner case involving http_cookie Will Metcalf (Mar 09)
- Re: BUG: corner case involving http_cookie beenph (Mar 09)
  - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
    - Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
    - Re: BUG: corner case involving http_cookie Matt Jonkman (Mar 10)
    - Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
    - Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)

(Thread continues...)