Re: Matching http_cookie content

[Alex Tatistcheff via Snort-sigs <snort-sigs () lists snort org>]

I would first simplify the Talos rule until you get it to alert. Then add
keywords back in until you find the culprit. Unless you've done this you
dont know what part of the rule is not matching.

On Fri, May 12, 2023, 7:24 AM Stephen Reese via Snort-sigs <
snort-sigs () lists snort org> wrote:

> I am having trouble triggering Snort 3 log4j rules which look for a
> pattern in http_cookie. For the following rule, I would expect something
> like ${jndi: or similar set to a cookie value would suffice but that does
> not seem to be the case. Thoughts on why I am unable to trigger the rule
> using the encoded or unencoded value that seems to meet the regex criteria?
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER
> Apache Log4j logging remote code execution attempt";
> flow:to_server,established; content:"jndi",fast_pattern,nocase;
> http_cookie; content:"jndi",nocase;
> pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i";
> metadata:policy balanced-ips drop,policy connectivity-ips drop,policy
> max-detect-ips drop,policy security-ips drop,ruleset community;
> service:http; reference:cve,2021-44228; reference:cve,2021-44832;
> reference:cve,2021-45046; reference:cve,2021-45105;
> classtype:attempted-user; sid:58726; rev:6; )
>
> Python to trigger the request:
>
> import logging
> import socket
> from scapy.all import *
> from scapy.layers.http import HTTPRequest
>
> logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
>
> target_ip = "192.168.208.167"
> target_port = 80
>
> # The cookie value to trigger the Snort rule with sid 58726 and rev 6
> cookie_name = "jndi"
> #cookie_value = "${jndi:"
> cookie_value = "%24%7bjndi%3a"
>
> def send_request(cookie_name, cookie_value):
> http_request = HTTPRequest(
> Method=b"GET",
> Path=b"/",
> Host=bytes(target_ip, encoding="utf-8"),
> User_Agent=b"Mozilla/5.0",
> Accept=b"*/*",
> Connection=b"keep-alive",
> Cookie=f"{cookie_name}={cookie_value}"
> )
>
> http_request_raw = raw(http_request)
>
> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
> sock.connect((target_ip, target_port))
>
> sock.sendall(http_request_raw)
> response = sock.recv(4096)
>
> sock.close()
> print(response)
> print("Triggered Snort rule with sid: 58726, rev: 6")
>
> send_request(cookie_name, cookie_value)
>
> WireShark stream:
>
> GET / HTTP/1.1
> Accept: */*
> Connection: keep-alive
> Cookie: vulnerable_cookie=%24%7bjndi%3a
> Host: 192.168.208.167
> User-Agent: Mozilla/5.0
>
> HTTP/1.1 200 OK
> Content-Length: 258
> Date: Thu, 11 May 2023 19:45:09 GMT
> Content-Type: text/html
> Server: INetSim HTTP Server
> Connection: Close
>
> <html>
> <head>
> <title>INetSim default HTML page</title>
> </head>
> <body>
> <p></p>
> <p align="center">This is the default HTML page for INetSim HTTP server
> fake mode.</p>
> <p align="center">This file is an HTML document.</p>
> </body>
> </html>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!