[snort preprocessor]http_inspect cannot identify urlencoded content

[Maxim <hittlle () 163 com>]

Hi all, 
I have a website attack tool that encodes HTTP request parameters with urlencode library, and I want snort to capture 
and normalize the urlencoded content. I enabled http_inspect preprocessor in snort.conf as follows:


         preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 
max_gzip_mem 104857600  
         preprocessor http_inspect_server: server default profile all ports { 80 8081 } http_methods { GET POST PUT 
DELETE HEAD }  


and prepared the corresponding rule as below:
        
         alert tcp any any -> 192.168.48.140 80 (content: "union"; http_uri; nocase; msg:"test urlencoded content."; 
classtype: web-application-attack;flowbits: isnotset, 9100000; flowbits: set,        
         9100000; flow: from_client; tag: session,exclusive; sid: 9100000; rev:1)   


They keyword "union" is urlencoded in the parameter part of the http request generated by the attack tool. Then I used 
the tool to trigger the attack as follows
GET 
/id=test%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23
 HTTP/1.1
Content-Type: text/html
Host: 192.168.2.111
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


The normalized form of 
"%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23"
 in the above request is "/id=test and 1=2 uNion SelEct 
1,2,3,4,5,concat(0x407468657374617274,Count(*),0x40746865656E64),7,8,9,10 from information_schema.tables#". As you can 
see, the rule SHOULD match the request and trigger a alert, but it didn't. My snort version information and the pcap 
file are attacked below. 


            ,,_     -*> Snort! <*-
            o"  )~   Version 2.9.6.0 GRE (Build 47) 
           ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8


Am I missing anything? Any guidance would be highly appreciated.  Thanks.


Regards
Hittlle

Attachment: pcap.pcapng
Description:

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!