Snort mailing list archives
Snort: http_preprocessor issues on HTTP file uploads
From: Cees <celzinga () gmail com>
Date: Tue, 26 Apr 2011 14:43:33 +0200
Hello list, I'm getting a lot of false positives on rules using the http_method keyword. It looks like there is a bug in the http_preprocessor parsing HTTP file uploads. These file uploads are often fragmented, and the http_preprocessor appears to parse each fragment as a seperate request. Tested on Snort 2.8.6.1 and 2.9.0.4. Can someone confirm the issue? Attached is the PCAP of a sample file upload. The file is split over multiple TCP packets. One of the packages starts with the string "smod", another one with "s faucibus". I created two Snort rules, one checking for "smod" as the http_method, and one checking for "faucibus" as the http_uri. Both trigger on the upload: ------ POST /cgi-bin/run/~jkorpela/echo.cgi HTTP/1.1 Host: www.cs.tut.fi [..] Content-Disposition: form-data; name="datafile"; filename="a" Content-Type: application/octet-stream Lorem ipsum dolor sit amet [..] smod a sagittis vel, hendrerit ac velit. [..] s faucibus [..] ------ snort.conf: ------ include classification.config var HOME_NET [130.230.4.103/32] var EXTERNAL_NET ![$HOME_NET] portvar HTTP_PORTS [80] output alert_fast: fast_alert output unified2: filename snort.u2, limit 128 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"smod http_method"; flow:established,to_server; content:"smod"; http_method; classtype:bad-unknown; sid:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"faucibus http_uri"; flow:established,to_server; content:"faucibus"; http_uri; classtype:bad-unknown; sid:2;) preprocessor stream5_global: track_tcp yes, \ max_tcp 512000, \ memcap 8388608, \ track_udp no, \ track_icmp no preprocessor stream5_tcp: policy bsd, ports both 443 465 563 636 989 992 993 994 995 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 8080 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all \ ports { 80 } \ no_alerts \ oversize_dir_length 500 \ server_flow_depth 0 \ client_flow_depth 0 ------ $ snort -r http_file_upload.pcap -c snort.conf -l log/ -k none -A console Using PCAP_FRAMES = 32768 04/26-11:53:06.039129 [**] [1:1:0] smod http_method [**] [Classification: Potentially Bad Traffic] [Priority: 3] {TCP} 10.0.3.156:45269 -> 130.230.4.103:80 04/26-11:53:06.081095 [**] [1:2:0] faucibus http_uri [**] [Classification: Potentially Bad Traffic] [Priority: 3] {TCP} 10.0.3.156:45269 -> 130.230.4.103:80 - Cees
Attachment:
http_file_upload.pcap
Description:
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort: http_preprocessor issues on HTTP file uploads Cees (Apr 26)