Re: HTTP Signature not triggering

[Will Metcalf <william.metcalf () gmail com>]

try removing /H this is a snort specific modifier it localizes the
match to the http_headers..

On Wed, Apr 14, 2010 at 4:47 PM, JOSH RIVEL, BLOOMBERG/ 731 LEXIN
<jrivel () bloomberg net> wrote:
> Will,
>
> Running pcretest with that pcre does work, but I will try your suggested PCRE and see if that fixes things.
>
> Thanks, Josh
>
> ---- Original Message ----
> From: Will Metcalf <william.metcalf () gmail com>
> At: 4/14/2010 17:39
>
> hmmm that pcre doesn't look quite right... Does the sig fire if you
> remove it?  If it does Maybe try something like the following...
>
> pcre:"/^Content-Length\x3a\s*[0-9]{7,}\r$/Hmi"
>
> Regards,
>
> Will
>
> On Wed, Apr 14, 2010 at 4:20 PM, JOSH RIVEL, BLOOMBERG/ 731 LEXIN
> <jrivel () bloomberg net> wrote:
> > Hello, so I have the following signature looking for HTTP posts of size > 1mb to any machines $EXTERNAL_NET, but 
> > despite my best efforts I can't get it to trigger.
> > alert tcp $HOME_NET !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; 
> > http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; 
> > nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*[0-9]{7,}$/i"; msg:"HTTP POST 
> > over 1mb - pcre only"; classtype:policy-violation; sid:1872316; gid:1; rev:1; )
> >
> > I uploaded a 2mb file to a website and the signature did not trigger.  Here are the snippets from tcpdump output on 
> > the sensor of the file being uploaded.
> >
> > POST /test/upload.php HTTP/1.1
> > Host: xx
> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Referer: http://xx/xx
> > Content-Type: multipart/form-data; boundary=---------------------------1588529377280840353328422082
> > Content-Length: 2097381
> > Connection: Keep-Alive
> > -----------------------------1588529377280840353328422082
> > Content-Disposition: form-data; name="uploaded"; filename="2mb"
> > Content-Type: application/octet-stream
> >
> > That signature does not trigger, however this one does (which has bad PCRE in it to detect file sizes of > 1mb)  I 
> > also tried using stream_size:client,>=,1048576 in the signature with no luck.
> > (So here's the bad signature but it does trigger)
> > alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; 
> > content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; 
> > content:"Content-Length\:"; nocase; http_header; pcre:"/^Content- Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; 
> > msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:15; )
> >
> > Any thoughts? I'm wracking my brains trying to sort this one out...
> > Thanks, Josh
> > ------------------------------------------------------------------------------
> > Download Intel&#174; Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs