Snort mailing list archives
Re: Looking for HTTP POST's over 1mb in size
From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 8 Apr 2010 23:12:38 -0400
True, but some of us are a bit gun-shy around colons in Snort rules - it only takes screwing up a release once before you make a habit of escaping colons wherever they may be found. :-P 2010/4/8 evilghost () packetmail net <evilghost () packetmail net>
Colon doesn't need to be escaped in a PCRE, even in a Snort PCRE. It does in a content match. :) -evilghost Matt Olney wrote:Actually (don't ask me why)...they both work: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon"; pcre:"/User-Agent:/H"; classtype: attempted-admin; sid: 33333;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon escaped"; pcre:"/User-Agent\:/H"; classtype: attempted-admin; sid: 33334;) Alerts: 1:33333:0 PCRE with colon Alerts: 2 1:33334:0 PCRE with colon escaped Alerts: 2 [HTTP_HEADER BUFFER DATA (0x8ac90a0)]: 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65 User-Agent: CBNe 74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20 tDataSet..Host: 73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69 segment.pw08.ici 62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f ba.com..Cache-Co 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32 ntrol: max-age=2 35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20 59200..Via: 1.0 50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f PROXY..Connectio 6e 3a 20 63 6c 6f 73 65 0d 0a 0d n: close... Matt (Who has been stupid busy, but is still listening) 2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com <mailto:l0rdch0de1m0rt () gmail com>> I disagree. Unless snort is not PCRE compatible (which it seems they should be based on the acronym), you don't have to escape the coloninthis context for a pcre check. Cheers, -L0rd Ch0de1m0rt On Thu, Apr 8, 2010 at 7:46 PM, 김무성 <kimms () infosec co kr <mailto:kimms () infosec co kr>> wrote: > Missed escape : \ > > You have to write this > > pcre:"/^Content-Length\:\s*[0-9]{7,}$/i"; > or > pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i"; > > -----Original Message----- > From: evilghost () packetmail net <mailto:evilghost () packetmail net> [mailto:evilghost () packetmail net <mailto:evilghost () packetmail net>] > Sent: Friday, April 09, 2010 2:01 AM > To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN > Cc: SNORT-SIGS () LISTS SOURCEFORGE NET <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET> > Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size > > Glad to help Josh, also drop the '/s', I meant to write the PCREas:> > pcre:"/^Content-Length:\s*[0-9]{7,}$/i"; > > > -evilghost > > JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote: >> evilghost- >> Yeah my PCRE skills are pretty weak. I'll try your change and let you know how it works out (I also change the source from "any" to $HOME_NET as well) >> Thanks!! >> Josh >> >> ----- Original Message ----- >> From: Evilghost () Packetmail Net <evilghost () packetmail net <mailto:evilghost () packetmail net>> >> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN) >> Cc: SNORT-SIGS () LISTS SOURCEFORGE NET <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET> >> At: 4/08 12:49:17 >> >> Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR match since >> it'll match on on 101, 102, 103, etc? >> >> What about: >> >> pcre:"/^Content-Length:\s*[0-9]{7,}$/si"; >> >> It'll still match against 1,000,000 bytes which is close enough to 1Mb for me. Also, note sure why you need the other PCRE flags. >> >> -evilghost >> >> >> >> >> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote: >> >>> So I wrote a signature to detect HTTP POST's over 1mb in size, but I think that my pcre logic is flawed. Can someone take a look and let me know if this is OK? (It does work, but will trigger on file sizes < 1mb based on the Content-Length: header) >>> (We have some stuff in there to ignore posts to certain sites due to too many false positives) >>> The rule is: >>> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: live.com <http://live.com>"; nocase; http_header; content:!"Host\: mail.google.com <http://mail.google.com>"; nocase; http_header; content:!"Host\: mail.yahoo.com <http://mail.yahoo.com>"; nocase; content:!"Host\: webmail.aol.com <http://webmail.aol.com>"; nocase; http_header; content:!"Host\: webmail.juno.com <http://webmail.juno.com>"; nocase; http_header; content:!"Host\: webmailb.juno.com <http://webmailb.juno.com>"; nocase; http_header; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; pcre:!"/^Host:\s.*[\.live.com <http://live.com>]$/smi"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:4; ) >>>------------------------------------------------------------------------------>>> Download Intel® Parallel Studio Eval >>> Try the new software tools for yourself. Speed compiling, find bugs >>> proactively, and fine-tune applications for parallel performance. >>> See why Intel Parallel Studio got high marks during beta. >>> http://p.sf.net/sfu/intel-sw-dev >>> _______________________________________________ >>> Snort-sigs mailing list >>> Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs >>> >>> >> > > >------------------------------------------------------------------------------> Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Snort-sigs mailing list > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > https://lists.sourceforge.net/lists/listinfo/snort-sigs > >------------------------------------------------------------------------------> Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Snort-sigs mailing list > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> > https://lists.sourceforge.net/lists/listinfo/snort-sigs >------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------------------------------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size 김무성 (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Alex Kirk (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size 김무성 (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 09)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)