Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 08 Jan 2015 14:32:56 -0500
On 1/8/2015 7:58 AM, Scott Savarese wrote:

I'm really new to Snort. Now that I have it up and running I'm starting to clean
up the rules I have. I found one rule that I want to keep enabled, but is broken:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache
mod_rpaf x-forwarded-for header denial of service attempt";
flow:to_server,established; content:"X-Forwarded-For|3A| "; fast_pattern:only;
http_header;
pcre:!"/X-Forwarded-For\x3a\s(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i";
metadata:service http; reference:cve,2012-3526;
classtype:web-application-attack; sid:24348; rev:3;)


It looks like it looks for the X-Forwarded-For header and then a single space
and then an IP address.


that's the content but the real work is in the PCRE which looks for 
x-forwarded-for: followed by anything /other/ than one space... note the '!' 
negation at the beginning of the PCRE as well as the sole \s after the ':' 
(\x3a)... anything in an x-forwarded-for that doesn't match the given ip range 
as well as the format will cause an alert...

sounds like you have thousands of playas trying to cause problems with your 
system(s)...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: