Snort mailing list archives

Re: BUG: corner case involving http_cookie

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 24 Mar 2010 13:50:35 -0500

You guy's may not care but I found this sort of interesting. From what
I have seen the way snort normally deals with invalid content/modifier
combinations is that if it will attempt to apply the specified modifer
to the last content match specified in the rule that it considers
valid.  If no previous content match it considers valid can be found
it errors out with some error like.... "please specify a content
match" or something.  With the exception of http_uri it appears as if
you wedge a uricontent match between http_* and valid previous content
match the keyword is simply ignored.  So while I realize there is no
valid use case here, this behavior is inconsistent with the way that
snort tries to silently fix typos.

Regards,

Will

#test 69 http_cookie. uricontent
#:::69:::N:::uricontent,http_cookie:::oisfsearchnums.pcap:::http_cookie.rules:::69
#very odd the following sig fails if depth is used in combination with
a http_cookie modifer with uricontent wedged in-between.  If
http_cookie is moved to the other side of the uricontent match the sig
fires or if the depth/offset modifer is removed the sig fires. It
appears as if in this corner case http_cookie is ignored. This
behavior differs from most content modifiers as it is ignored instead
of applied to a valid previous match.
#
#file oisfsearchnums.pcap
#alert tcp any any -> any any (msg:"e6504ae48c99f09df7f58996aacbb6b0
with uricontent + http_cookie";
content:"e6504ae48c99f09df7f58996aacbb6b0"; offset:563; depth:32;
uricontent:"/index.php/component/search/index.php"; http_cookie;
classtype:bad-unknown; sid:69; rev:1;)

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Re: BUG: corner case involving http_cookie, (continued)
- - - Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
    - Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 11)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 15)
    - Re: BUG: corner case involving http_cookie Steven Sturges (Mar 15)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 15)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 17)
    - Re: BUG: corner case involving http_cookie Will Metcalf (Mar 24)