Snort mailing list archives
Re: Matching http_cookie content
From: Alex Tatistcheff via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 12 May 2023 08:28:58 -0600
I would first simplify the Talos rule until you get it to alert. Then add keywords back in until you find the culprit. Unless you've done this you dont know what part of the rule is not matching. On Fri, May 12, 2023, 7:24 AM Stephen Reese via Snort-sigs < snort-sigs () lists snort org> wrote:
I am having trouble triggering Snort 3 log4j rules which look for a pattern in http_cookie. For the following rule, I would expect something like ${jndi: or similar set to a cookie value would suffice but that does not seem to be the case. Thoughts on why I am unable to trigger the rule using the encoded or unencoded value that seems to meet the regex criteria? alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"jndi",fast_pattern,nocase; http_cookie; content:"jndi",nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58726; rev:6; ) Python to trigger the request: import logging import socket from scapy.all import * from scapy.layers.http import HTTPRequest logging.getLogger("scapy.runtime").setLevel(logging.ERROR) target_ip = "192.168.208.167" target_port = 80 # The cookie value to trigger the Snort rule with sid 58726 and rev 6 cookie_name = "jndi" #cookie_value = "${jndi:" cookie_value = "%24%7bjndi%3a" def send_request(cookie_name, cookie_value): http_request = HTTPRequest( Method=b"GET", Path=b"/", Host=bytes(target_ip, encoding="utf-8"), User_Agent=b"Mozilla/5.0", Accept=b"*/*", Connection=b"keep-alive", Cookie=f"{cookie_name}={cookie_value}" ) http_request_raw = raw(http_request) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, target_port)) sock.sendall(http_request_raw) response = sock.recv(4096) sock.close() print(response) print("Triggered Snort rule with sid: 58726, rev: 6") send_request(cookie_name, cookie_value) WireShark stream: GET / HTTP/1.1 Accept: */* Connection: keep-alive Cookie: vulnerable_cookie=%24%7bjndi%3a Host: 192.168.208.167 User-Agent: Mozilla/5.0 HTTP/1.1 200 OK Content-Length: 258 Date: Thu, 11 May 2023 19:45:09 GMT Content-Type: text/html Server: INetSim HTTP Server Connection: Close <html> <head> <title>INetSim default HTML page</title> </head> <body> <p></p> <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p> <p align="center">This file is an HTML document.</p> </body> </html> _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Matching http_cookie content Stephen Reese via Snort-sigs (May 12)
- Re: Matching http_cookie content Alex Tatistcheff via Snort-sigs (May 12)