Snort mailing list archives

Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Tue, 03 Apr 2012 17:16:30 +0000

On 4/3/2012 4:55 PM, Jeff Kell wrote:

On 4/3/2012 12:25 PM, Joel Esler wrote:

Your content match is in http_header, but your pcre isn't.  It's searching the whole packet.  Two different buffers. 
 The pcre should be modified to only read from http_header.


Alright, one case example:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java
Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.";
fast_pattern:only; http_header; pcre:"/Java\/1.6.0_([0-2]|30)/";
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient;
threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown;
sid:2011582; rev:15;)


It needs to search the right buffer for the right string as Joel pointed
out.

This will probably fix it:
pcre:"/Java\/1.6.0_([0-2]|30)/H";

I don't know why fast_pattern:only; is really in this signature and I
don't know why pcre is even part of it either.

My version:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL FLOWBIT -
Java/1.6.* Vulnerable in http_header"; flow:established,to_server;
content:" Java/1.6.0_"; http_header; content:!"31"; within:2;
http_header; flowbits:set,AOL.http.java.vulnerable; flowbits:noalert;
sid:4900004; rev:4;)

No pcre, no fast_pattern modifiers, no problems.

-- Eoin

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
  - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Eoin Miller (Apr 03)
    - Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)