Snort mailing list archives
http_inspect claims no cookies in trafficr?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Mon, 12 Jul 2010 16:58:03 +0000
Trying to play around with doing detection based on cookie content, and it simply appears to just not be working? Request (hostnames modified as they are malicious malware domains prior to posting to list): =============================================================================== GET /down.php?c=947 HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-silverlight, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */* Referer: hXXp://go12_._scrapper-site_._net/3/?c=947 Accept-Language: en-us,zh-cn;q=0.9,zh-hk;q=0.7,zh-mo;q=0.6,zh-sg;q=0.4,zh-tw;q=0.3,zh;q=0.1 UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; MS-RTC LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: go12_._scrapper-site_._net Connection: Keep-Alive Cookie: WinSec_site_u=1; qwEXas=947 =============================================================================== Rule that does not fire: alert tcp $HOME_NET any-> $EXTERNAL_NET $HTTP_PORTS (msg:"TEST http_cookie WinSec"; flow:established,to_server; content:"WinSec_site_u=1"; http_cookie; classtype:bad-unknown; sid:9999999; rev:1;) This was driving me crazy until I noticed the HTTP Inspect output saying there are response or request cookies extracted? =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 2 HTTP Request Headers extracted: 2 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 0 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Base 36: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 71 =============================================================================== Ive tried other bits of traffic when the server is setting the cookie as well and even then, it never says any http response or request cookies are extracted. Is there some compilation option or other configuration setting that needs to be set for this to work? What gives? $ snort --version ,,_ -*> Snort! <*- o" )~ Version 2.8.6 (Build 38) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.4 2007-09-21 Using ZLIB version: 1.2.3.3 -- Eoin ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- no_stream_inserts Jason Wallace (Jul 12)
- http_inspect claims no cookies in trafficr? Eoin Miller (Jul 12)
- Re: http_inspect claims no cookies in trafficr? Eoin Miller (Jul 12)
- http_inspect claims no cookies in trafficr? Eoin Miller (Jul 12)