Snort mailing list archives

Matching http_cookie content

From: Stephen Reese via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 11 May 2023 15:48:56 -0400

I am having trouble triggering Snort 3 log4j rules which look for a pattern
in http_cookie. For the following rule, I would expect something like
${jndi: or similar set to a cookie value would suffice but that does not
seem to be the case. Thoughts on why I am unable to trigger the rule using
the encoded or unencoded value that seems to meet the regex criteria?

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER
Apache Log4j logging remote code execution attempt";
flow:to_server,established; content:"jndi",fast_pattern,nocase;
http_cookie; content:"jndi",nocase;
pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i";
metadata:policy balanced-ips drop,policy connectivity-ips drop,policy
max-detect-ips drop,policy security-ips drop,ruleset community;
service:http; reference:cve,2021-44228; reference:cve,2021-44832;
reference:cve,2021-45046; reference:cve,2021-45105;
classtype:attempted-user; sid:58726; rev:6; )

Python to trigger the request:

import logging
import socket
from scapy.all import *
from scapy.layers.http import HTTPRequest

logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

target_ip = "192.168.208.167"
target_port = 80

# The cookie value to trigger the Snort rule with sid 58726 and rev 6
cookie_name = "jndi"
#cookie_value = "${jndi:"
cookie_value = "%24%7bjndi%3a"

def send_request(cookie_name, cookie_value):
http_request = HTTPRequest(
Method=b"GET",
Path=b"/",
Host=bytes(target_ip, encoding="utf-8"),
User_Agent=b"Mozilla/5.0",
Accept=b"*/*",
Connection=b"keep-alive",
Cookie=f"{cookie_name}={cookie_value}"
)

http_request_raw = raw(http_request)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port))

sock.sendall(http_request_raw)
response = sock.recv(4096)

sock.close()
print(response)
print("Triggered Snort rule with sid: 58726, rev: 6")

send_request(cookie_name, cookie_value)

WireShark stream:

GET / HTTP/1.1
Accept: */*
Connection: keep-alive
Cookie: vulnerable_cookie=%24%7bjndi%3a
Host: 192.168.208.167
User-Agent: Mozilla/5.0

HTTP/1.1 200 OK
Content-Length: 258
Date: Thu, 11 May 2023 19:45:09 GMT
Content-Type: text/html
Server: INetSim HTTP Server
Connection: Close

<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server
fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Matching http_cookie content Stephen Reese via Snort-sigs (May 12)
- Re: Matching http_cookie content Alex Tatistcheff via Snort-sigs (May 12)