Snort mailing list archives
Re: http_client_body, distance and ignoring requirement for content match?
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 10 Aug 2010 17:43:00 -0500
--On Tuesday, August 10, 2010 20:47:16 +0000 Eoin Miller <eoin.miller () trojanedbinaries com> wrote:
Why in the world would the following signature match against the below POST? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO Exploit Kit - request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; http_client_body; classtype:bad-unknown; sid:5600100; rev:2;) POST /earth-expandable-substrate-pack-p-1903.html?action=add_product¤cy=USD& osCsid=uhlf66l9csn4gkpvj9kq016ht2 HTTP/1.1
[snipped]
This should require "id=" and then "|25 32 36|j" to be 32 bytes or more away within the http_client_body. However it isn't possible for this to happen since there is only 14 bytes of data within the http_client_body after the "id=", it should not be possible to match. I have other signatures that are NOT firing on this packet but are nearly identical: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY SEO Exploit Kit - request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:32; http_client_body; classtype:bad-unknown; sid:5600101; rev:2;) It is very puzzling that one would fire and not the other... Snort can't be ignoring the content match for four vs five bytes for some reason, could it? ("|25 32 36|jp" vs "|25 32 36|j")
Looks like it's matching on the "j". Since there is no "jp", that rule doesn't match. I can't explain why it's matching though, because it shouldn't match unless you see %26j. Distance is in bytes, however, and each character takes two bytes. So there's more than 32 bytes. In fact the "j" (6a) is right at the 32 byte location. This is what the string looks like in ascii and then in hex: id=uhlf66l9csn4gkpvj9kq016ht2 id= 75 68 6c 66 36 36 31 39 63 73 6e 34 67 6b 70 76 6a 39 6b 71 30 31 36 68 74 32 Each character is represented by two bytes. Total byte cound is 52, so you're well within your distance parameter. If you really meant distance:32 characters;, you should write distance:64; It would be nice if you posted the hex from the detection. Do you see 25 32 36 6A anywhere in the hex? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- http_client_body, distance and ignoring requirement for content match? Eoin Miller (Aug 10)
- Re: http_client_body, distance and ignoring requirement for content match? Paul Schmehl (Aug 10)