Snort mailing list archives

Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 3 Apr 2012 12:25:46 -0400

Your content match is in http_header, but your pcre isn't.  It's searching the whole packet.  Two different buffers.  
The pcre should be modified to only read from http_header.

As to why it worked before, who knows.  "FM" as we used to say in the Army.  This is why it's important to test your 
rules as much as you can, and also why we believe "supported versions" are important.

There's reasons we upgrade the engine.

J

On Apr 3, 2012, at 12:22 PM, Jeff Kell <jeff-kell () utc edu> wrote:

You say "the top four are written incorrectly" yet they worked in 2.8.6, so I'm confused.

They work fine without "http_header", and doesn't the "User-agent: blah blah
Java/1.6.0_27" bits fall into an http_header?

Or is it the "fast_pattern:only" part?  (They work fine with or without that).

I'm just "confused" as things were working fine 2.8.6 and now I'm chasing my tail (or
the piggy's curly tail, one or the other...)

Jeff

On 4/3/2012 10:58 AM, Joel Esler wrote:

On Apr 3, 2012, at 9:06 AM, Jeff Kell <jeff-kell () utc edu> wrote:

I have been running the ET signatures for "vulnerable Java" user agents for some time,
specifically:

/etc/snort/rules/policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server;
content:" Java/1.4."; fast_pattern:only; http_header;
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient;
threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown;
sid:2011584; rev:7;)
/etc/snort/rules/policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server;
content:" Java/1.5."; fast_pattern:only; nocase; http_header;
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient;
threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown;
sid:2011581; rev:6;)
/etc/snort/rules/policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server;
content:" Java/1.6."; fast_pattern:only; http_header; pcre:"/Java\/1.6.0_([0-2]|30)/";
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient;
threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown;
sid:2011582; rev:15;)
/etc/snort/rules/policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server;
content:" Java/1.7."; fast_pattern:only; http_header; pcre:"/Java\/1.7.0_0[1-2]/";
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient;
threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown;
sid:2014297; rev:1;)

These were firing "like crazy" last week with the expected accurate results.  After a
long-overdue upgrade of my snort to 2.9.1.2 (lastest version w/snortsam patch), these
signatures STOPPED.

Snortsam is now part of barnyard2.  You should upgrade to 2.9.2.2.

I took one of the "noisier" ones and eliminated the "http_header" bits...

/etc/snort/rules/local.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET fixup Vulnerable Java Version 1.6.x Detected"; flow:established,to_server;
content:" Java/1.6.0_"; fast_pattern:only; pcre:"/Java\/1.6.0_([0-2]|30)/";
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient;
threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown;
sid:2012040201; rev:11;)

And it's firing again!

Any clues what's going on here?  I'm afraid I may be losing other http_keyboard
inspections as well…j

The top four rules are written incorrectly.  The content match and the pcre are reading from two different buffers.

I copied the http_inspect configurations out of the suggested 2.9.1.2 snort.conf file
(other than increasing server_flow and client_flow):

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth
65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
  http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY
BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE } \
  chunk_length 500000 \
  server_flow_depth 65535 \
  client_flow_depth 1460 \
  post_depth 65495 \
  oversize_dir_length 500 \
  max_header_length 750 \
  max_headers 100 \
  max_spaces 0 \
  small_chunk_length { 10 5 } \
  ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250
7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280
8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \
  non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
  enable_cookie \
  extended_response_inspection \
  inspect_gzip \
  normalize_utf \
  unlimited_decompress \
  apache_whitespace no \
  ascii no \
  bare_byte no \
  directory no \
  double_decode no \
  iis_backslash no \
  iis_delimiter no \
  iis_unicode no \
  multi_slash no \
  utf_8 no \
  u_encode yes \
  webroot no


Thanks in advance.

Jeff

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
  - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Eoin Miller (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)