Snort mailing list archives
Re: [snort preprocessor]http_inspect cannot identify urlencoded content
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 4 Jul 2016 18:56:40 +0000
Are you sure the destination address in your rule is correct? There isnt anything in the pcap from 192.168.48.140.
Shouldnt it be 192.168.2.111 instead of 192.168.48.140?
If I change the address in your rule it alerts. See below:
cliffjumper$ ./bin/snort -c etc/MAXIM.conf -r etc/MAXIM.pcapng -Acmg -H -U -k none -q
07/04-02:59:02.844050 [**] [1:9100000:1] test urlencoded content. [**] [Classification: Web Application Attack]
[Priority: 1] {TCP} 192.168.2.139:56961 -> 192.168.2.111:80
Stream reassembled packet
07/04-02:59:02.844050 B0:C0:90:51:83:6C -> C8:1F:66:DB:CA:26 type:0x800 len:0x24C
192.168.2.139:56961 -> 192.168.2.111:80 TCP TTL:64 TOS:0x0 ID:23068 IpLen:20 DgmLen:574 DF
***A**** Seq: 0x4D757BEC Ack: 0x438BE909 Win: 0x7680 TcpLen: 20
47 45 54 20 2F 69 64 3D 68 65 6C 6C 6F 77 6F 72 GET /id=hellowor
6C 64 25 32 30 25 36 31 25 36 45 25 36 34 25 32 ld%20%61%6E%64%2
30 25 33 31 25 33 44 25 33 32 25 32 30 25 37 35 0%31%3D%32%20%75
25 34 45 25 36 39 25 36 46 25 36 45 25 32 30 25 %4E%69%6F%6E%20%
35 33 25 36 35 25 36 43 25 34 35 25 36 33 25 37 53%65%6C%45%63%7
34 25 32 30 25 33 31 25 32 43 25 33 32 25 32 43 4%20%31%2C%32%2C
25 33 33 25 32 43 25 33 34 25 32 43 25 33 35 25 %33%2C%34%2C%35%
32 43 25 36 33 25 36 46 25 36 45 25 36 33 25 36 2C%63%6F%6E%63%6
31 25 37 34 25 32 38 25 33 30 25 37 38 25 33 34 1%74%28%30%78%34
25 33 30 25 33 37 25 33 34 25 33 36 25 33 38 25 %30%37%34%36%38%
33 36 25 33 35 25 33 37 25 33 33 25 33 37 25 33 36%35%37%33%37%3
34 25 33 36 25 33 31 25 33 37 25 33 32 25 33 37 4%36%31%37%32%37
25 33 34 25 32 43 25 34 33 25 36 46 25 37 35 25 %34%2C%43%6F%75%
36 45 25 37 34 25 32 38 25 32 41 25 32 39 25 32 6E%74%28%2A%29%2
43 25 33 30 25 37 38 25 33 34 25 33 30 25 33 37 C%30%78%34%30%37
25 33 34 25 33 36 25 33 38 25 33 36 25 33 35 25 %34%36%38%36%35%
33 36 25 33 35 25 33 36 25 34 35 25 33 36 25 33 36%35%36%45%36%3
34 25 32 39 25 32 43 25 33 37 25 32 43 25 33 38 4%29%2C%37%2C%38
25 32 43 25 33 39 25 32 43 25 33 31 25 33 30 25 %2C%39%2C%31%30%
32 30 25 36 36 25 37 32 25 36 46 25 36 44 25 32 20%66%72%6F%6D%2
30 25 36 39 25 36 45 25 36 36 25 36 46 25 37 32 0%69%6E%66%6F%72
25 36 44 25 36 31 25 37 34 25 36 39 25 36 46 25 %6D%61%74%69%6F%
36 45 25 35 46 25 37 33 25 36 33 25 36 38 25 36 6E%5F%73%63%68%6
35 25 36 44 25 36 31 25 32 45 25 37 34 25 36 31 5%6D%61%2E%74%61
25 36 32 25 36 43 25 36 35 25 37 33 25 32 33 20 %62%6C%65%73%23
48 54 54 50 2F 31 2E 31 0D 0A 43 6F 6E 74 65 6E HTTP/1.1..Conten
74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D t-Type: text/htm
6C 0D 0A 48 6F 73 74 3A 20 31 39 32 2E 31 36 38 l..Host: 192.168
2E 32 2E 31 31 31 0D 0A 41 63 63 65 70 74 3A 20 .2.111..Accept:
74 65 78 74 2F 68 74 6D 6C 2C 20 2A 2F 2A 0D 0A text/html, */*..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi
6C 6C 61 2F 33 2E 30 20 28 63 6F 6D 70 61 74 69 lla/3.0 (compati
62 6C 65 3B 20 49 6E 64 79 20 4C 69 62 72 61 72 ble; Indy Librar
79 29 0D 0A 0D 0A y)....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Maxim <hittlle () 163 com<mailto:hittlle () 163 com>>
Date: Sunday, July 3, 2016 at 11:38 PM
To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] [snort preprocessor]http_inspect cannot identify urlencoded content
Hi all,
I have a website attack tool that encodes HTTP request parameters with urlencode library, and I want snort to capture
and normalize the urlencoded content. I enabled http_inspect preprocessor in snort.conf as follows:
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
max_gzip_mem 104857600
preprocessor http_inspect_server: server default profile all ports { 80 8081 } http_methods { GET POST PUT
DELETE HEAD }
and prepared the corresponding rule as below:
alert tcp any any -> 192.168.48.140 80 (content: "union"; http_uri; nocase; msg:"test urlencoded content.";
classtype: web-application-attack;flowbits: isnotset, 9100000; flowbits: set,
9100000; flow: from_client; tag: session,exclusive; sid: 9100000; rev:1)
They keyword "union" is urlencoded in the parameter part of the http request generated by the attack tool. Then I used
the tool to trigger the attack as follows
GET
/id=test%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23
HTTP/1.1
Content-Type: text/html
Host: 192.168.2.111
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
The normalized form of
"%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23"
in the above request is "/id=test and 1=2 uNion SelEct
1,2,3,4,5,concat(0x407468657374617274,Count(*),0x40746865656E64),7,8,9,10 from information_schema.tables#". As you can
see, the rule SHOULD match the request and trigger a alert, but it didn't. My snort version information and the pcap
file are attacked below.
,,_ -*> Snort! <*-
o" )~ Version 2.9.6.0 GRE (Build 47)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.31 2012-07-06
Using ZLIB version: 1.2.8
Am I missing anything? Any guidance would be highly appreciated. Thanks.
Regards
Hittlle
[X]
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [snort preprocessor]http_inspect cannot identify urlencoded content Maxim (Jul 03)
- Re: [snort preprocessor]http_inspect cannot identify urlencoded content Al Lewis (allewi) (Jul 04)