Re: [Snort-devel] Serious problems Snort 2.9 with relative content matches using http_inspect preprocessor and http_uri keyword

[Bad Horse <b4dh0rs3 () gmail com>]

My first thought is that since you are looking for 0x3a (ASCII colon) in
the http_uri buffer, this is not being recognized by http_inspect because
the colon is commonly used to deliminate between URLs and ports. Have you
tried using "http_raw_uri" instead of "http_uri"?

-Bad Horse
 The Thoroughbred of SYN


On Wed, Nov 6, 2013 at 2:01 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>wrote:

> Hello,
>
> Previously I posted on this list with an email subject of, "distance,
> within, and negated matches".  Today I bring another issue that I am having
> that I believes could be related and is non-trivial and super serious.
>
> When I analyze it I believe that relative (1 byte?) content matches are
> not being properly applied in the http_uri buffer.  Other buffers for the
> http preprocessor may be affected as well but I have not tested them but I
> won't be suprised if they are also infected by this bug.
>
> This is an example of the rule Im using:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Dont Cry 4 Me
> Trojanina"; flow:established, to_server; content:"GET"; http_method;
> content:"|2F|"; http_uri; content:"|3A|"; http_uri; distance:1; within:20;)
>
> Using a simple pcap ("Follow TCP stream" output from Ethereal is here:)
>
> GET /iused/2/trust/the.http_preprocessor/sad1/cr1090hs:SN-IF-FF- HTTP/1.1
>
> The rule does not alert even though the Snort output shows that the HTTP
> data is being properly recognized and processed by the http_inspect
> preprocessor. The Snort output shows that the specific GET request is being
> recognized as a HTTP "GET" request.
>
> When I remove the http_inspect directives, the rule starts to work, this
> is an example:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Dont Cry 4 Me
> Trojanina"; flow:established, to_server; content:"GET"; http_method;
> content:"|2F|"; content:"|3A|"; distance:1; within:20;)
>
> Is this (still?) a known issue?  I have tested this on multiple different
> versions of Snort 2.9.
>
> Cheers,
>
> Lord C.
>
>
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models.
> Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and
> register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!