Re: protected_content and replace?

[Joshua Kinard <kumba () gentoo org>]

Hmm, the manual needs to state that then.  It has no mentions that I can find
that 'replace' is invalid with the http modifiers for either 'content' or
'protected_content'.  The source code has these checks, however, in both
sp_replace.c and sp_pattern_match.c.

A quick fix for you guys to bug:

src/detection-plugins/sp_ceplace.c:64 in PayloadReplaceInit()

    if ( lastType ==  PLUGIN_PATTERN_MATCH_URI )
    {
        FatalError("%s(%d) => \"replace\" option is not supported "
                "with uricontent, nor in conjunction with http_uri, "
                "http_header, http_method http_cookie,"
                "http_raw_uri, http_raw_header, or "
                "http_raw_cookie modifiers.\n",
                file_name, file_line);
    }

This text needs to include 'http_stat_code', 'http_stat_method', and
'http_client_body'.


Has any thought been given to allowing 'length' to accept byte_extract variables?


Btw, wouldn't 'replace' offer another bypass of protected_content?  I.e., given
the below:

protected_content:"901890A8E9C8CF6D5A1A542B229FEBFF"; length:3; hash:md5;
replace:"XXX";

One could simulate network traffic until the replaced characters appear in the
packet, then the modified packet and original packet compared and the original
content match derived.  And then a speedier, more efficient fast_pattern rule
created in its place ;)

Cheers!,

--J


On 10/27/2014 09:45, Carter Waxman (cwaxman) wrote:
> Hi Joshua,
>
> The replace modifier works with protected_content in the same way it works
> with content. It will work with regular payload matches, but not URI/HTTP
> buffer matches.
>
> Thanks,
> Carter Waxman
>
> On 10/25/14, 11:47 PM, "Joshua Kinard" <kumba () gentoo org> wrote:
>
> > I see this note in the manual for protected_content:
> >
> > The protected content keyword can be used with some (but not all) of the
> > content modifiers. Those not
> > supported include:
> > nocase
> > fast_pattern
> > depth
> > within
> >
> > I assume 'replace' should be on that list as well?  It's always been in a
> > different section of the manual, but it seems to behave like a modifier
> > keyword, since it affects the previous content match.



-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And our
lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!