Snort mailing list archives

Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers

From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 3 Apr 2012 12:55:21 -0400

On 4/3/2012 12:25 PM, Joel Esler wrote:

Your content match is in http_header, but your pcre isn't.  It's searching the whole packet.  Two different buffers.  
The pcre should be modified to only read from http_header.


Alright, one case example:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java
Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.";
fast_pattern:only; http_header; pcre:"/Java\/1.6.0_([0-2]|30)/";
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient;
threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown;
sid:2011582; rev:15;)

Works fine 2.8.6, does not work 2.9.1.2.

Remove "http_header" and it works just fine.

Replace "http_header" and change pcre to "read from http_header" via
pcre:"/Java\/1.6.0_([0-2]|30)/H"; and it still doesn't fire.

So it would appear to "NOT" be looking at the http_header in any sense.  I remove
"http_header" and they work.  I put it back with various tweaking pcre combinations and
modifiers, they do not work.

Sample packet having issues:

GET /images/article/functions/facebook.gif HTTP/1.1
User-Agent: Java/1.6.0_24
Host: graphics8.nytimes.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

I'd just like to find a consistent explanation / behavior somewhere besides finger pointing :)  

Snort 2.8.6 to 2.9.1 is inconsistent (obviously but expected by now).  and/or

The emerging sigs are either broken / misappropriated between 2.8.6 and 2.9.1 versions.   and/or

My configuration/build is screwed up somewhere :)

Anyone else running these signatures with 2.9.x and having them still working normally?

Jeff




------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
  - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Eoin Miller (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)