Snort mailing list archives

Question about Content-Disposition, Content-Type, etc. and http_header buffer

From: Mike Cox <mike.cox52 () gmail com>
Date: Tue, 16 Oct 2012 17:18:04 -0400

I've noticed that in some multipart/form-data POSTs, data that is normally
in the HTTP header gets sent in the body of the message and not parsed by
http-inspect as part of the http_header buffer.  Specifically, the headers
"Content-Type", "Content-Disposition", and "Content-Transfer-Encoding",
although there could be others.  For example:

POST /blackhole/safe.php HTTP/1.1
Host: snort.org
Content-Type: multipart/form-data, boundary=---dG91Y2hteXNub3J0
Content-Length: 8675309

---dG91Y2hteXNub3J0
Content-Disposition: form-data; name="name"

Joshua
---dG91Y2hteXNub3J0
Content-Disposition: form-data; name="play_a_game"

True
---dG91Y2hteXNub3J0
Content-Disposition: form-data; name="file";
filename="GLOBAL_THERMONUCLEAR_WAR.pdf"
Content-Type: application/pdf
Content-Transfer-Encoding: binary
...

So a snort rule looking for a specific filename in a Content-Disposition
header wouldn't match if it were written as you would expect it to be
written.  For example, this wouldn't match the above:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bad PDF File
Upload"; flow:established,to_server; content:"Content-Disposition";
http_header; content:"filename="; distance:0; http_header; content:".pdf";
distance:0; within:100; http_header; sid:1234567;)

What is the best way to match this and not incur the overhead of using
global content matches?  Is there a plan for the http-inspect pre-processor
to account for this?

Thanks.

-Mike Cox

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 16)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 16)
  - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 17)
    - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 17)
    - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 17)
    - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 17)
    - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 25)
    - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 25)
    - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer lists () packetmail net (Oct 25)
    - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 25)
    - Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer lists () packetmail net (Oct 25)

(Thread continues...)