Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION

From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 16 Aug 2013 08:55:26 -0400
Thanks for reporting this.  I will investigate and get back to you.

Russ

On Fri, Aug 16, 2013 at 5:17 AM, Bram <bram-fabeg () mail wizbit be> wrote:


As indicated in the other message the configuration contains an error..

'preprocessor stream5_tcp: policy first, ports 80 8080'

should be

'preprocessor stream5_tcp: policy first, ports both 80 8080'

Running it with the updated conig shows:



        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r /tmp/120_8_2_80.cap 2>&1 | grep 120:
        08/12-18:21:01.997838  [**] [120:8:2] (http_inspect) INVALID
CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
192.168.173.153:43668 -> 192.168.173.1:80

        08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
{TCP} 192.168.173.1:80 -> 192.168.173.153:43668

        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r /tmp/120_8_2_8080.cap 2>&1 | grep 120:
        08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID
CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
192.168.173.153:54958 -> 192.168.173.1:8080
        08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
{TCP} 192.168.173.1:8080 -> 192.168.173.153:54958

        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r /tmp/120_8_2_7000.cap 2>&1 | grep 120:
        08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
{TCP} 192.168.173.1:7000 -> 192.168.173.153:36671

This at least makes a bit more sense but I still feel the
'HI_CLISRV_MSG_SIZE_EXCEPTION' alert is incorrect..
The 'HI_CLISRV_MSG_SIZE_EXCEPTION' alert links to CVE 2013-2028.

From what I can tell reading CVE 2013-2028: this happens when the chunked
size is negative.
That is: that the value is positive when stored in an unsigned in
(obviously) but becomes negative when converting to a signed int.

The code in preprocessors/HttpInspect/**utils/hi_paf.c 'hi_exec' does
seem to check the length/size.
However: this is not the code that generated the alert.

The alert is generated by the 'hi_eoh' function:
    if ( s->flags & HIF_CHK )
    {
        hi_exec(s, ACT_CK0, 0);
        return PAF_SEARCH;
    }
    if ( (s->flags & (HIF_REQ|HIF_LEN)) )
        return PAF_FLUSH;

    if ( (s->flags & HIF_V11) && (s->flags & HIF_RSP) )
    {
        hi_exec(s, ACT_LN0, 0);
        hi_paf_event_msg_size();
        return PAF_FLUSH;
    }

If I read the code correctly:
* if there is a 'Transfer-Encoding: Chunked' header then the PAF_SEARCH is
returned (first if)
* if this is a request or if the 'Content-Length' header is set then
PAF_FLUSH is returned (second if)
* if this is a HTTP/1.1 response then the 'HI_CLISRV_MSG_SIZE_EXCEPTION'
is generated.

I don't understand why it generates the event in that particular place..
From what I can tell this case should be handled by the
'HI_SERVER_NO_CONTLEN' alert...


Best regards,

Bram



Quoting Bram <bram-fabeg () mail wizbit be>:

 Hi,



There appears to be a false positive with the
 'HI_CLISRV_MSG_SIZE_EXCEPTION' alert.
At the very least it displays some confusing/strange behaviour.

Attached are three TCP dump files.
The TCP session in the three dumps is exactly the same, the only
 difference is in the port number (and the squence/ack numbers).
(NOTE: this is a minimal version of the dump - this was triggered on
 other traffic but the dump was made as tiny as possible)

In the config file:
* port 80 and port 8080 are handled the same.
* port 7000 is listed as port for the 'http_inspect' preprocessor but
 not listed in the 'stream5_tcp' preprocessor.


Full configuration file:
       dynamicpreprocessor directory /usr/lib/snort_**
dynamicpreprocessor/
       preprocessor stream5_global: \
          track_tcp yes, \
          track_udp no, \
          track_icmp no
       preprocessor stream5_tcp: policy first, ports 80 8080

       preprocessor http_inspect: global iis_unicode_map unicode.map 1252
 compress_depth 65535 decompress_depth 65535
       preprocessor http_inspect_server: server default \
           http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK
 UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE
 TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
 BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST
 SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
           chunk_length 500000 \
           server_flow_depth 0 \
           client_flow_depth 0 \
           post_depth 65495 \
           oversize_dir_length 500 \
           max_header_length 4096 \
           max_headers 100 \
           max_spaces 0 \
           small_chunk_length { 10 5 } \
           ports { 80 7000 8080 } \
           non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
           enable_cookie \
           extended_response_inspection \
           inspect_gzip \
           normalize_utf \
           unlimited_decompress \
           normalize_javascript \
           apache_whitespace no \
           ascii no \
           bare_byte no \
           directory no \
           double_decode no \
           iis_backslash no \
           iis_delimiter no \
           iis_unicode no \
           multi_slash no \
           utf_8 no \
           u_encode yes \
           webroot no

       alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"**; sid: 8; gid: 120;
rev:  2; metadata: rule-type preproc; )
       alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1;
 metadata: rule-type preproc ;  )

       output alert_fast: stdout


Running it shows:
       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/120_8_2_80.cap 2>&1 | grep 120:
       08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO
 CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
{TCP} 192.168.173.1:80 -> 192.168.173.153:43668

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/120_8_2_7000.cap 2>&1 | grep 120:
       08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO
 CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
{TCP} 192.168.173.1:7000 -> 192.168.173.153:36671

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/120_8_2_8080.cap 2>&1 | grep 120:
       08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID
 CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
192.168.173.153:54958 -> 192.168.173.1:8080
       08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO
 CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
{TCP} 192.168.173.1:8080 -> 192.168.173.153:54958

The 'NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE' alert is
 expected.
The 'INVALID CONTENT-LENGTH OR CHUNK SIZE' alert is unexpected...


Looking further:

* 120_8_2_80.cap:
       'HI_SERVER_NO_CONTLEN' shown on packet 6

* 120_8_2_7000.cap:
       'HI_SERVER_NO_CONTLEN' shown on packet 6

* 120_8_2_8080.cap:
       'HI_CLISRV_MSG_SIZE_EXCEPTION' shown on packet 8
       'HI_SERVER_NO_CONTLEN' shown on packet 10

Why is the behaviour for port 80 different from the behaviour for port
8080?
As far as I can see it's configured the same...


Breaking in 'CheckFlushPolicyOnAck' with gdb shows:


* 120_8_2_80.cap:
       For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
       For packets 3, 4, 5, 6, 7, 8 and 9: 'talker->flush_mgr.flush_**policy'
 is set to 5 (STREAM_FLPOLICY_IGNORE)

* 120_8_2_7000.cap:
       For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
       For packets 3, 4, 5, 6, 7, 8 and 9: 'talker->flush_mgr.flush_**policy'
 is set to 5 (STREAM_FLPOLICY_IGNORE)


* 120_8_2_8080.cap:
       For packets 1 and 2: 'CheckFlushPolicyOnAck' never called
       For packets 3, 4, 5, 6 and 7: 'talker->flush_mgr.flush_**policy'
is set  to 6 (STREAM_FLPOLICY_PROTOCOL)
       For packets 8: 'CheckFlushPolicyOnAck' called twice, first time
 'talker->flush_mgr.flush_**policy' is set to 6
 (STREAM_FLPOLICY_PROTOCOL), second time it's set to 1
 (STREAM_FLPOLICY_FOOTPRINT)
       For packets 9 and 10: 'talker->flush_mgr.flush_**policy' is set
to 1  (STREAM_FLPOLICY_FOOTPRINT)



Best regards,

Bram





------------------------------**------------------------------**----
This message was sent using IMP, the Internet Messaging Program.



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: