Snort mailing list archives

http_inspect - no gzip decompressed data processed?

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 15 Jul 2010 20:26:46 +0000

Have a small pcap I am trying to write sigs for, after figuring out Ididn't have gzip enabled because I used the snort.conf that came withsnort rather than the snort.conf that came with the VRT ruleset (doh!),I am still unable to get any of the sigs to fire on it.

Signature (dumbed down just for testing purposes here). If I make thesignature only require matches on anything that is not GZIP'd, then itwill fire):alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served byngix 2"; content:"iframe"; nocase; classtype:bad-unknown; sid:5600066;rev:1;)

Raw packet that should be causing the sig to fire (removed address/portsstuff). This is the only packet in the stream that has gzip encoded data:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/12-18:07:10.511891 XXX.XXX.XXX.XXX:80 -> XXX.XXX.XXX.XXX:2790
TCP TTL:51 TOS:0x0 ID:2145 IpLen:20 DgmLen:575 DF
***AP*** Seq: 0x126BD99B  Ack: 0x61DCA8DD  Win: 0x1A28  TcpLen: 20
0x0000:
0x0010:
0x0020:
0x0030:                      54 54 50 2F 31 2E 31 20 32        HTTP/1.1 2
0x0040: 30 30 20 4F 4B 0D 0A 53 65 72 76 65 72 3A 20 6E  00 OK..Server: n
0x0050: 67 69 6E 78 2F 30 2E 36 2E 33 39 0D 0A 44 61 74  ginx/0.6.39..Dat
0x0060: 65 3A 20 4D 6F 6E 2C 20 31 32 20 4A 75 6C 20 32  e: Mon, 12 Jul 2
0x0070: 30 31 30 20 31 38 3A 30 37 3A 31 30 20 47 4D 54  010 18:07:10 GMT
0x0080: 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20  ..Content-Type:
0x0090: 74 65 78 74 2F 68 74 6D 6C 0D 0A 54 72 61 6E 73  text/html..Trans
0x00A0: 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 63 68  fer-Encoding: ch
0x00B0: 75 6E 6B 65 64 0D 0A 43 6F 6E 6E 65 63 74 69 6F  unked..Connectio
0x00C0: 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 58  n: keep-alive..X
0x00D0: 2D 50 6F 77 65 72 65 64 2D 42 79 3A 20 50 48 50  -Powered-By: PHP
0x00E0: 2F 35 2E 31 2E 36 0D 0A 43 6F 6E 74 65 6E 74 2D  /5.1.6..Content-
0x00F0: 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 0D 0A  Encoding: gzip..
0x0100: 0D 0A 61 0D 0A 1F 8B 08 00 00 00 00 00 00 03 0D  ..a.............
0x0110: 0A 31 33 30 0D 0A BD 52 CB 4E C4 30 0C BC EF 57  .130...R.N.0...W
0x0120: 44 B9 04 24 DA 74 D9 07 85 4D 7A 44 82 03 1C E0  D..$.t...MzD....
0x0130: 07 D2 D6 6D 22 D2 64 37 75 F7 F1 F7 A4 DD 15 42  ...m".d7u......B
0x0140: 20 AE F8 64 8F 3D 1E 6B 64 A1 B1 B3 85 D0 A0 EA   ..d.=.kd.......
0x0150: 62 26 3A 40 45 34 E2 36 81 DD 60 F6 92 56 DE 21  b&:@E4.6..`..V.!
0x0160: 38 4C F0 B4 05 4A 2E 95 A4 08 47 E4 23 73 43 2A  8L...J....G.#sC*
0x0170: AD 42 0F 28 9F DE 5E 93 3C 5F DD 27 73 1A 17 A1  .B.(..^.<_.'s...
0x0180: 41 0B C5 32 5B 92 17 8F E4 D1 0F AE 16 FC 0C 0A  A..2[...........
0x0190: 3E 89 89 D2 D7 27 52 B6 95 B7 3E 48 7A D0 06 61 >....'R...>Hz..a
0x01A0: 64 56 51 0E 42 BC 68 FE 93 1E 11 C1 2F ED 99 D0  dVQ.B.h...../...
0x01B0: 71 E6 52 B8 D6 B8 23 CF D2 75 BA 58 7D 9B E0 A3  q.R...#..u.X}...
0x01C0: 42 31 FB FF F8 65 23 0B D0 04 E8 35 FB 72 90 DD  B1...e#....5.r..
0x01D0: 6D 86 60 E5 68 F5 03 E7 25 58 6B 2A DF C3 47 9E  m.`.h...%Xk*..G.
0x01E0: 1A D7 78 BE CB 7B CE 0A D1 57 C1 6C 91 58 E5 DA  ..x..{...W.l.X..
0x01F0: 41 B5 20 E9 B3 DA AB B7 09 A4 05 E9 C1 36 69 E7  A. ..........6i.
0x0200: F7 F0 EE AF 16 D9 72 7D B3 C8 56 EB EB 0D 11 FC  ......r}..V.....
0x0210: CC 8B 66 9A 26 A8 0E 48 1F 2A C9 FE D2 72 B7 96  ..f.&..H.*...r..
0x0220: 33 72 30 35 6A C9 E6 8C 68 30 AD C6 29 9D D8 A5  3r05j...h0..)...
0x0230: 0F 35 04 C9 B2 78 10 3F 2F 8C C9 F4 36 9F 04 6B  .5...x.?/...6..k
0x0240: BF 18 3D 02 00 00 0D 0A 30 0D 0A 0D 0A           ..=.....0....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Decoded HTML response output:
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 573
Content-Type: text/html
Date: Mon, 12 Jul 2010 18:07:10 GMT
Server: nginx/0.6.39
X-Powered-By: PHP/5.1.6

<html><head> <meta http-equiv="content-type" content="text/html;charset=ISO-8859-1"> <title>404 Not Found</title></head><bodybgcolor="white"> <center><h1>404 Not Found</h1></center><hr><center>nginx/0.6.35</center> </body> <meta http-equiv='refresh'content='7;url=http://<REMOVED>.info/q8s/'><script language="JavaScript"> self.moveTo(3046,3056); </script> <iframesrc='http://<REMOVED>.info/n2l/' width='1' height='1' frameborder='0'></iframe></html>

The output from http_inspect seems weird as it claims 0 bytes for "GzipDecompressed Data Processed"?

===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          2
    HTTP Request Headers extracted:       2
    HTTP Request Cookies extracted:       0
    Post parameters extracted:            0
    HTTP response Headers extracted:      2
    HTTP Response Cookies extracted:      0
    Unicode:                              0
    Double unicode:                       0
    Non-ASCII representable:              0
    Base 36:                              0
    Directory traversals:                 0
    Extra slashes ("//"):                 0
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 2
    Gzip Compressed Data Processed:       331.00
    Gzip Decompressed Data Processed:     0.00
    Total packets processed:              4
===============================================================================


http_inspect config from snort.conf:
===============================================================================

preprocessor http_inspect: global iis_unicode_map unicode.map 1252compress_depth 20480 decompress_depth 20480

preprocessor http_inspect_server: server default \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
        oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \

ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180 88889999 } \

    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    apache_whitespace no \
    ascii no \
    bare_byte no \
        directory no \
        double_decode no \
        iis_backslash no \
        iis_delimiter no \
        iis_unicode no \
        multi_slash no \
        non_strict \
        u_encode yes \
        webroot no
===============================================================================

Version info:
===============================================================================
# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6 IPv6 GRE (Build 38)

'''' By Martin Roesch & The Snort Team:http://www.snort.org/snort/snort-team

           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.4 2007-09-21
           Using ZLIB version: 1.2.3.3
===============================================================================

I am seriously tearing my hair out, anyone have any ideas/suggestions?Been reading and re-reading the README.http_inspect, but I am not seeingwhy this would not be working with the default configuration.


-- Eoin

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

http_inspect - no gzip decompressed data processed? Eoin Miller (Jul 15)