False Snort Alert [119:31:1] triggering

[<katwell80 () yahoo de>]

Hello

My snort triggers bogus alerts from http preprocessor

Assigned rule:
alert (msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119; rev: 1; metadata: rule-type preproc ;)

It claims, that the HTTP-Request contains unknown methods, however it doesn't

A packet that triggered this error shows as following:

00000000: 48 45 41 44 20 2F 76 31  31 2F 32 2F 77 69 6E 64  HEAD /v11/2/wind
00000010: 6F 77 73 75 70 64 61 74  65 2F 72 65 64 69 72 2F  owsupdate/redir/
00000020: 76 36 2D 77 69 6E 37 73  70 31 2D 77 75 72 65 64  v6-win7sp1-wured
00000030: 69 72 2E 63 61 62 3F 31  35 30 36 31 37 30 37 35  ir.cab?150617075
00000040: 33 20 48 54 54 50 2F 31  2E 31 0D 0A 43 6F 6E 6E  3 HTTP/1.1..Conn
00000050: 65 63 74 69 6F 6E 3A 20  4B 65 65 70 2D 41 6C 69  ection: Keep-Ali
00000060: 76 65 0D 0A 41 63 63 65  70 74 3A 20 2A 2F 2A 0D  ve..Accept: */*.
00000070: 0A 55 73 65 72 2D 41 67  65 6E 74 3A 20 57 69 6E  .User-Agent: Win
00000080: 64 6F 77 73 2D 55 70 64  61 74 65 2D 41 67 65 6E  dows-Update-Agen
00000090: 74 0D 0A 48 6F 73 74 3A  20 64 73 2E 64 6F 77 6E  t..Host: ds.down
000000A0: 6C 6F 61 64 2E 77 69 6E  64 6F 77 73 75 70 64 61  load.windowsupda
000000B0: 74 65 2E 63 6F 6D 0D 0A  0D 0A                   te.com....

This is, by all means, a valid HTTP-Request, isn't it? I wonder what makes the preproc startle here

Additionally the alert is triggered on websocket requests, obviously the preprocessor fails to wecognize valid 
websockets.

Furthermore it seems that some of these errors are triggered by fragmented packets, as payloads as such appear in snorby


0000000: 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e  64 65 0a Host:.google.de.
With these protocol headers

IP-Header: | ip_hlen: 5 | ip_csum: 23323 | ip_off: 0 | ip_flags: 0 | ip_ttl: 63 | ip_proto: 6 | ip_ver: 4 | ip_id: 7195 
| ip_tos: 0 | ip_len: 68 | 
TCP-Header: | tcp_flags: 24 | tcp_win: 29200 | tcp_ack: 2362165352 | tcp_seq: 1888033555 | tcp_csum: 12589 | tcp_urp: 0 
| tcp_res: 0 | tcp_off: 8 | tcp_dport: 80 | tcp_sport: 56953 |


I think, this is not a valid HTTP but a fragment of a valid longer request.
Now it would be great to have a rule that detects violation of the HTTP-protocol as malicious code could be used in an 
attack or DoS, however the amount of false positives this rule raises makes it completely useless.
Configuration:

Running in Rule Dump mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort-br1.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 
8000 8008 8028 8080 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 20:21 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort/br1
WARNING: ip4 normalizations disabled because not inline.
WARNING: tcp normalizations disabled because not inline.
WARNING: icmp4 normalizations disabled because not inline.
WARNING: ip6 normalizations disabled because not inline.
WARNING: icmp6 normalizations disabled because not inline.
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Bound Address: default
Target-based policy: WINDOWS
Fragment timeout: 180 seconds
Fragment min_ttl:  1
Fragment Anomalies: Alert
Overlap Limit:    10
Min fragment Length:    100
Max Expected Streams: 768
Stream global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 262144
TCP cache pruning timeout: 30 seconds
TCP cache nominal timeout: 3600 seconds
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: ACTIVE
Max UDP sessions: 131072
UDP cache pruning timeout: 30 seconds
UDP cache nominal timeout: 180 seconds
Track ICMP sessions: INACTIVE
Track IP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Send up to 2 active responses
Wait at least 5 seconds between responses
Protocol Aware Flushing: ACTIVE
Maximum Flush Point: 16384
Stream TCP Policy config:
Bound Address: default
Reassembly Policy: WINDOWS
Timeout: 180 seconds
Limit on TCP Overlaps: 10
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Require 3-Way Handshake: YES
3-Way Handshake Timeout: 180
Detect Anomalies: YES
Reassembly Ports:
21 client (Footprint) 
22 client (Footprint) 
23 client (Footprint) 
25 client (Footprint) 
42 client (Footprint) 
53 client (Footprint) 
79 client (Footprint) 
80 client (Footprint) server (Footprint)
81 client (Footprint) server (Footprint)
109 client (Footprint) 
110 client (Footprint) 
111 client (Footprint) 
113 client (Footprint) 
119 client (Footprint) 
135 client (Footprint) 
136 client (Footprint) 
137 client (Footprint) 
139 client (Footprint) 
143 client (Footprint) 
161 client (Footprint) 
additional ports configured but not printed.
Stream UDP Policy config:
Timeout: 180 seconds
HttpInspect Config:
GLOBAL CONFIG
Detect Proxy Usage:     NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
Memcap used for logging URI and Hostname: 150994944
Max Gzip Memory: 838860
Max Gzip Sessions: 2723
Gzip Compress Depth: 65535
Gzip Decompress Depth: 65535
DEFAULT SERVER CONFIG:
Server profile: All
Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 
8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 
Server Flow Depth: 0
Client Flow Depth: 0
Max Chunk Length: 500000
Max Header Field Length: 1500
Max Number Header Fields: 100
Max Number of WhiteSpaces allowed with header folding: 200
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 1000
Only inspect URI: NO
Normalize HTTP Headers: NO
Inspect HTTP Cookies: YES
Inspect HTTP Responses: YES
Extract Gzip from responses: YES
Decompress response files: 
Unlimited decompression of gzip data from responses: YES
Normalize Javascripts in HTTP Responses: NO
Normalize HTTP Cookies: NO
Enable XFF and True Client IP: NO
Log HTTP URI data: NO
Log HTTP Hostname data: NO
Extended ASCII code support in URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: NO
%U Encoding: YES alert: YES
Bare Byte: YES alert: NO
UTF 8: YES alert: NO
IIS Unicode: YES alert: NO
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: NO
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 
Whitespace Characters: 0x09 0x0b 0x0c 0x0d 
rpc_decode arguments:
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 
alert_fragments: INACTIVE
alert_large_fragments: INACTIVE
alert_incomplete: INACTIVE
alert_multiple_requests: INACTIVE
Portscan Detection Config:
Detect Protocols:  TCP UDP ICMP IP
Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes:  21598
Dumping dynamic rules...
Finished dumping dynamic rules.
Snort exiting

root@sensor:~# snort --version

,,_    -*> Snort! <*-
o"  )~  Version 2.9.7.3 GRE (Build 217) 
''''   By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3.4

------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!