Snort mailing list archives

http_inspect works incorrectly

From: Mark Greenman <mark.greenman.014 () gmail com>
Date: Sun, 14 Dec 2014 10:54:46 +0330

Hi. What Snort user manual mentions about extended_response_inspection is
that "When this option is turned on, if the HTTP response packet has a body
then any content pattern matches ( without http modifiers ) will search the
response body ((decompressed in case of gzip) and not the entire packet
payload. To search for patterns in the header of the response, one should
use the http modifiers with content such as http header, http stat code, http
stat msg and http cookie".
I have applied this feature for http_inspect preprocessor but it seems like
it is working in the reverse manner. Like, the rules only match when the
specified pattern exists in the header and they do not match when the
pattern exists in the body of the http packet. Why is this happening?
Here is the configuration for http_inspect:

# HTTP normalization and anomaly detection.  For more information, see
README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK
CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    max_spaces 200 \
    small_chunk_length { 10 5 } \
    ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809
3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000
8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800
8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002
55555 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    normalize_utf \
    unlimited_decompress \
    normalize_javascript \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    utf_8 no \
    u_encode yes \
    webroot no

Thanks

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

http_inspect works incorrectly Mark Greenman (Dec 13)