Snort mailing list archives
Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Tue, 03 Apr 2012 17:16:30 +0000
On 4/3/2012 4:55 PM, Jeff Kell wrote:
On 4/3/2012 12:25 PM, Joel Esler wrote:Your content match is in http_header, but your pcre isn't. It's searching the whole packet. Two different buffers. The pcre should be modified to only read from http_header.Alright, one case example: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6."; fast_pattern:only; http_header; pcre:"/Java\/1.6.0_([0-2]|30)/"; flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient; threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown; sid:2011582; rev:15;)
It needs to search the right buffer for the right string as Joel pointed out. This will probably fix it: pcre:"/Java\/1.6.0_([0-2]|30)/H"; I don't know why fast_pattern:only; is really in this signature and I don't know why pcre is even part of it either. My version: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL FLOWBIT - Java/1.6.* Vulnerable in http_header"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"31"; within:2; http_header; flowbits:set,AOL.http.java.vulnerable; flowbits:noalert; sid:4900004; rev:4;) No pcre, no fast_pattern modifiers, no problems. -- Eoin ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Eoin Miller (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Jeff Kell (Apr 03)
- Re: [Emerging-Sigs] Strange issues between 2.8.6 and 2.9.1.2 with http_headers Joel Esler (Apr 03)