Snort mailing list archives
[snort preprocessor]http_inspect cannot identify urlencoded content
From: Maxim <hittlle () 163 com>
Date: Mon, 4 Jul 2016 11:38:01 +0800 (CST)
Hi all, I have a website attack tool that encodes HTTP request parameters with urlencode library, and I want snort to capture and normalize the urlencoded content. I enabled http_inspect preprocessor in snort.conf as follows: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 max_gzip_mem 104857600 preprocessor http_inspect_server: server default profile all ports { 80 8081 } http_methods { GET POST PUT DELETE HEAD } and prepared the corresponding rule as below: alert tcp any any -> 192.168.48.140 80 (content: "union"; http_uri; nocase; msg:"test urlencoded content."; classtype: web-application-attack;flowbits: isnotset, 9100000; flowbits: set, 9100000; flow: from_client; tag: session,exclusive; sid: 9100000; rev:1) They keyword "union" is urlencoded in the parameter part of the http request generated by the attack tool. Then I used the tool to trigger the attack as follows GET /id=test%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23 HTTP/1.1 Content-Type: text/html Host: 192.168.2.111 Accept: text/html, */* User-Agent: Mozilla/3.0 (compatible; Indy Library) The normalized form of "%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23" in the above request is "/id=test and 1=2 uNion SelEct 1,2,3,4,5,concat(0x407468657374617274,Count(*),0x40746865656E64),7,8,9,10 from information_schema.tables#". As you can see, the rule SHOULD match the request and trigger a alert, but it didn't. My snort version information and the pcap file are attacked below. ,,_ -*> Snort! <*- o" )~ Version 2.9.6.0 GRE (Build 47) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.8 Am I missing anything? Any guidance would be highly appreciated. Thanks. Regards Hittlle
Attachment:
pcap.pcapng
Description:
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [snort preprocessor]http_inspect cannot identify urlencoded content Maxim (Jul 03)
- Re: [snort preprocessor]http_inspect cannot identify urlencoded content Al Lewis (allewi) (Jul 04)