Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BUG: corner case involving http_cookie

From: Steven Sturges <steve.sturges () sourcefire com>
Date: Wed, 10 Mar 2010 09:15:18 -0500
Will--

In the 2nd rule the only content is an HTTP cookie.  Without using
http_cookie, it would try to match the raw data.

With HTTP Inspect enabled, it is separating the headers, cookie,
method, etc from the raw data, hence all of the modifier keywords
that you can use with content -- can use more than one together.

Without specifying http_cookie in the rule and when HTTP Inspect
enabled (and cookie inspection enabled in 2.8.6), if the pattern
matcher searches any of the HTTP buffers, it doesn't search the raw
data.  If no rules use the specific HTTP buffers or there are no HTTP
buffers, the pattern matcher will search the raw data, which is why
the rule byte itself (without http_cookie) works.

This was done to avoid going over the same data twice in the pattern
matcher, and it is working as it is designed.

Two options:

1) Use http_cookie in the rule as you note in the case that works.

2) Turn off HTTP Inspect (not realistic)

Cheers
-steve

Will Metcalf wrote:

hmmm I don't think so.  Look at first test.  both rules fire.

Regards,

Will

On Tue, Mar 9, 2010 at 10:31 PM, beenph <beenph () gmail com> wrote:

I will try a wild guess, what is your event_queue size like?

Its probably a bug or something  that need clarification regarding
http_cookie and http_inspect, but mabey http_cookie enable a modifier
in http_inspect that alter alerting behavior when event_queue is at 1
(since i guess both "alerts" are part of the same normalized http
stream)


-elz
ps: didin't run the pcap and rules test.


On Tue, Mar 9, 2010 at 11:15 PM, Will Metcalf <william.metcalf () gmail com> wrote:

failing to use the http_cookie modifier on a rule where there is
another rule that matches the same packet makes a rule that should
fire fail.

src/snort -V

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.8.5.3 (Build 124)
  ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2009 Sourcefire, Inc., et al.
          Using PCRE version: 7.8 2008-09-05


src/snort -k none -q -A console -c etc/snort.conf -l ./ -r oisfsearchnums.pcap

#this combo works
#alert tcp any any -> any any (msg:"http_client_body";
content:"searchword="; uricontent:"/index.php"; nocase;
classtype:bad-unknown; sid:59; rev:1;)
#alert tcp any any -> any any (msg:"http_cookie match ";
content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
http_cookie; classtype:bad-unknown; sid:68; rev:1;)
#
#03/07-21:19:54.242506  [**] [1:59:1] http_client_body [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80
#03/07-21:19:54.242506  [**] [1:68:1] http_cookie match  [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80
#03/07-21:19:54.364173  [**] [1:68:1] http_cookie match  [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80

#the second rule does not fire
#alert tcp any any -> any any (msg:"http_client_body + depth";
content:"searchword="; uricontent:"/index.php"; nocase;
classtype:bad-unknown; sid:59; rev:1;)
#alert tcp any any -> any any (msg:"http_cookie match";
content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
classtype:bad-unknown; sid:68; rev:1;)
#
#03/07-21:19:54.242506  [**] [1:59:1] http_client_body + depth [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80

#this rule fires when used on it's own.
#alert tcp any any -> any any (msg:"http_cookie match";
content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703";
classtype:bad-unknown; sid:68; rev:1;)
#
#03/07-21:19:54.242506  [**] [1:68:1] http_cookie match [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80
#03/07-21:19:54.364173  [**] [1:68:1] http_cookie match [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.100.17:38111 -> 96.43.130.5:80

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel




------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: