Snort mailing list archives

Re: Looking for HTTP POST's over 1mb in size

From: Matt Olney <molney () sourcefire com>
Date: Thu, 8 Apr 2010 22:54:38 -0400

Actually (don't ask me why)...they both work:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon";
pcre:"/User-Agent:/H"; classtype: attempted-admin; sid: 33333;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon
escaped"; pcre:"/User-Agent\:/H"; classtype: attempted-admin; sid: 33334;)

Alerts:
1:33333:0       PCRE with colon
     Alerts: 2
1:33334:0       PCRE with colon escaped
     Alerts: 2

[HTTP_HEADER BUFFER DATA (0x8ac90a0)]:
55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65    User-Agent: CBNe
74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20    tDataSet..Host:
73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69    segment.pw08.ici
62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f    ba.com..Cache-Co
6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32    ntrol: max-age=2
35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20    59200..Via: 1.0
50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f    PROXY..Connectio
6e 3a 20 63 6c 6f 73 65 0d 0a 0d                   n: close...

Matt
(Who has been stupid busy, but is still listening)

2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>

I disagree.  Unless snort is not PCRE compatible (which it seems they
should be based on the acronym), you don't have to escape the colon in
this context for a pcre check.

Cheers,

-L0rd Ch0de1m0rt

On Thu, Apr 8, 2010 at 7:46 PM, 김무성 <kimms () infosec co kr> wrote:

Missed escape : \

You have to write this

pcre:"/^Content-Length\:\s*[0-9]{7,}$/i";
or
pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i";

-----Original Message-----
From: evilghost () packetmail net [mailto:evilghost () packetmail net]
Sent: Friday, April 09, 2010 2:01 AM
To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN
Cc: SNORT-SIGS () LISTS SOURCEFORGE NET
Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size

Glad to help Josh, also drop the '/s', I meant to write the PCRE as:

pcre:"/^Content-Length:\s*[0-9]{7,}$/i";


-evilghost

JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:

evilghost-
Yeah my PCRE skills are pretty weak.  I'll try your change and let you

know how it works out (I also change the source from "any" to $HOME_NET as
well)

Thanks!!
Josh

----- Original Message -----
From: Evilghost () Packetmail Net <evilghost () packetmail net>
To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN)
Cc: SNORT-SIGS () LISTS SOURCEFORGE NET
At:  4/08 12:49:17

Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR match since
it'll match on on 101, 102, 103, etc?

What about:

pcre:"/^Content-Length:\s*[0-9]{7,}$/si";

It'll still match against 1,000,000 bytes which is close enough to 1Mb

for me.  Also, note sure why you need the other PCRE flags.


-evilghost




JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:

So I wrote a signature to detect HTTP POST's over 1mb in size, but I

think that my pcre logic is flawed.  Can someone take a look and let me know
if this is OK?  (It does work, but will trigger on file sizes < 1mb based on
the Content-Length: header)

(We have some stuff in there to ignore posts to certain sites due to

too many false positives)

The rule is:
alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server;

priority:1; content:"POST"; nocase; http_method; content:!"Shockwave";
nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\:
live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase;
http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\:
webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com";
nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase;
http_header; content:"multipart/"; nocase; content:"Content-Length\:";
nocase; http_header;
pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix";
pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr";
classtype:policy-violation; sid:1000060; gid:1; rev:4; )

------------------------------------------------------------------------------

Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------

Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------

Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
  - Re: Looking for HTTP POST's over 1mb in size 김무성 (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size Alex Kirk (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 09)