Snort mailing list archives

HTTP preprocessor: TCP retransmissions of requests body causes (incorrect) alerts

From: Bram <bram-fabeg () mail wizbit be>
Date: Mon, 02 Sep 2013 16:23:42 +0200

Hi,

When a TCP packet of a HTTP request is retransmitted then it cancauses alerts to be triggered incorrectly (AKA false positives).

This seems to happen only when a packet is retransmitted.

The attached dump was recreated using raw sockets based on an actualHTTP session.

The difference between the attached dump and the real traffic:
* less data
* the delay between packets is different
* port is different (5555 vs 80)

Config:
        dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
        preprocessor stream5_global: \
           track_tcp yes, \
           track_udp no, \
           track_icmp no
        preprocessor stream5_tcp: policy first, ports both 80 5555

preprocessor http_inspect: global iis_unicode_map unicode.map 1252compress_depth 65535 decompress_depth 65535

        preprocessor http_inspect_server: server default \

http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCKUNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETETRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCHBPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POSTSMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \

            chunk_length 500000 \
            server_flow_depth 0 \
            client_flow_depth 0 \
            post_depth 65495 \
            oversize_dir_length 500 \
            max_header_length 4096 \
            max_headers 100 \
            max_spaces 0 \
            small_chunk_length { 10 5 } \
            ports { 80 5555 } \
            webroot no

alert ( msg: "HI_CLIENT_UNESCAPED_SPACE_IN_URI"; sid:33; gid: 119;rev: 1; metadata: rule-type preproc ; )


        output alert_fast: stdout

Running it:

$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r/tmp/http_body_retransmit.cap 2>&1 | grep '119:'09/02-16:52:20.309803 [**] [119:33:1] (http_inspect) UNESCAPED SPACEIN HTTP URI [**] [Priority: 0] {TCP} 192.168.173.153:5556 ->192.168.173.1:5555

Looking at it shows that the alert is triggered on packet 10 which isthe 'TCP Retransmission' of the request body...

My *guess* is that this problem is not directly related to the'HI_CLIENT_UNESCAPED_SPACE_IN_URI' alert but that this is a moregeneral problem..That is: I believe it is related to how the packets got reassembledand that it is possible to trigger other alerts as well... but havenot (yet at least) attempted this.




Best regards,

Bram


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Attachment: http_body_retransmit.cap
Description:

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

HTTP preprocessor: TCP retransmissions of requests body causes (incorrect) alerts Bram (Sep 02)
- Re: HTTP preprocessor: TCP retransmissions of requests body causes (incorrect) alerts Bhagya Bantwal (Sep 03)
  - Re: HTTP preprocessor: TCP retransmissions of requests body causes (incorrect) alerts Bram (Sep 03)