Snort mailing list archives
Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers
From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 3 Apr 2012 12:55:21 -0400
On 4/3/2012 12:25 PM, Joel Esler wrote:
Your content match is in http_header, but your pcre isn't. It's searching the whole packet. Two different buffers. The pcre should be modified to only read from http_header.
Alright, one case example: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6."; fast_pattern:only; http_header; pcre:"/Java\/1.6.0_([0-2]|30)/"; flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient; threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown; sid:2011582; rev:15;) Works fine 2.8.6, does not work 2.9.1.2. Remove "http_header" and it works just fine. Replace "http_header" and change pcre to "read from http_header" via pcre:"/Java\/1.6.0_([0-2]|30)/H"; and it still doesn't fire. So it would appear to "NOT" be looking at the http_header in any sense. I remove "http_header" and they work. I put it back with various tweaking pcre combinations and modifiers, they do not work. Sample packet having issues: GET /images/article/functions/facebook.gif HTTP/1.1 User-Agent: Java/1.6.0_24 Host: graphics8.nytimes.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive I'd just like to find a consistent explanation / behavior somewhere besides finger pointing :) Snort 2.8.6 to 2.9.1 is inconsistent (obviously but expected by now). and/or The emerging sigs are either broken / misappropriated between 2.8.6 and 2.9.1 versions. and/or My configuration/build is screwed up somewhere :) Anyone else running these signatures with 2.9.x and having them still working normally? Jeff ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Eoin Miller (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)