[Snort-devel] Patch for spp_http_decode.c

Erich Meier Erich.Meier at ...2...
Wed Dec 6 04:37:32 EST 2000


Hi!

Attached is a patch that makes the internal IIS Unicode and CGI Null Byte
attack checks unconfigurable. The possibility to disable at least the first
check makes us german non-IIS-users happy, because that saves us from drowning
in false positives triggered by the encoding of our umlauts (äö etc.).

The checks are disabled by issuing an "-unicode" or "-cginull" arguments to
the preprocessor.

Hope this is useful,
Erich
-- 
Erich Meier                              Erich.Meier at ...2...
                                 http://www4.informatik.uni-erlangen.de/~meier/
-------------- next part --------------
Index: spp_http_decode.c
===================================================================
RCS file: /cvsroot/snort/snort/spp_http_decode.c,v
retrieving revision 1.3
diff -c -r1.3 spp_http_decode.c
*** spp_http_decode.c	2000/11/18 08:25:04	1.3
--- spp_http_decode.c	2000/12/06 09:31:32
***************
*** 31,36 ****
--- 31,38 ----
   *   
   * This plugin takes a list of integers representing the TCP ports that the
   * user is interested in having normalized
+  * a "-unicode" disables the IIS unicode check that is enabled by default
+  * a "-cginull" disables the CGI NULL check that is enabled by default
   *
   * Effect:
   *
***************
*** 49,54 ****
--- 51,62 ----
  
  #define MODNAME "spp_http_decode"
  
+ #define NOUNICODE "-unicode"
+ #define NOCGINULL "-cginull"
+ 
+ int check_iis_unicode = 1;
+ int check_cgi_null = 1;
+ 
  extern char *file_name;
  extern int file_line;
  
***************
*** 121,126 ****
--- 129,135 ----
      char **toks;
      int num_toks;
      int num_ports = 0;
+     int num;
  
      if (portlist == NULL)
      {
***************
*** 131,139 ****
      toks = mSplit(portlist, " ", 31, &num_toks, '\\');
  
      /* convert the tokens and place them into the port list */
!     for (num_ports = 0; num_ports < num_toks; num_ports++)
      {
!         HttpDecodePorts.ports[num_ports] = atoi(toks[num_ports]);
      }   
  
      HttpDecodePorts.num_entries = num_ports;
--- 140,154 ----
      toks = mSplit(portlist, " ", 31, &num_toks, '\\');
  
      /* convert the tokens and place them into the port list */
!     for (num = 0; num < num_toks; num++)
      {
! 	if (!strncmp(NOUNICODE, toks[num], sizeof NOUNICODE)) {
! 	    check_iis_unicode = 0;
! 	} else if (!strncmp(NOCGINULL, toks[num], sizeof NOCGINULL)) {
! 	    check_cgi_null = 0;
! 	} else {
! 	    HttpDecodePorts.ports[num_ports++] = atoi(toks[num]);
! 	}
      }   
  
      HttpDecodePorts.num_entries = num_ports;
***************
*** 224,235 ****
                      {
                          /*convert it and stuff it */
                          temp = (nibble(*(index+1)) << 4) | nibble(*(index+2));
!                         if ((temp == 192) || /* c0 */
!                             (temp == 193) || /* c1 */
!                             (temp == 224) || /* e0 */
!                             (temp == 240) || /* f0 */
!                             (temp == 248) || /* f8 */
!                             (temp == 252))   /* fc */
                          {
                              snprintf(logMessage, sizeof(logMessage), 
                                       MODNAME ": IIS Unicode attack detected");
--- 239,251 ----
                      {
                          /*convert it and stuff it */
                          temp = (nibble(*(index+1)) << 4) | nibble(*(index+2));
!                         if (((temp == 192) || /* c0 */
!                              (temp == 193) || /* c1 */
!                              (temp == 224) || /* e0 */
!                              (temp == 240) || /* f0 */
!                              (temp == 248) || /* f8 */
!                              (temp == 252)) &&/* fc */
! 			    check_iis_unicode)
                          {
                              snprintf(logMessage, sizeof(logMessage), 
                                       MODNAME ": IIS Unicode attack detected");
***************
*** 239,245 ****
                              CallLogFuncs(p, logMessage, NULL);
                          }
  
!                         if (temp == 0)
                          {
                              snprintf(logMessage, sizeof(logMessage), 
                                       MODNAME ": CGI Null Byte attack detected");
--- 255,261 ----
                              CallLogFuncs(p, logMessage, NULL);
                          }
  
!                         if (temp == 0 && check_cgi_null)
                          {
                              snprintf(logMessage, sizeof(logMessage), 
                                       MODNAME ": CGI Null Byte attack detected");
Index: RULES.SAMPLE
===================================================================
RCS file: /cvsroot/snort/snort/RULES.SAMPLE,v
retrieving revision 1.3
diff -c -r1.3 RULES.SAMPLE
*** RULES.SAMPLE	2000/09/18 19:30:37	1.3
--- RULES.SAMPLE	2000/12/06 09:31:32
***************
*** 428,433 ****
--- 428,437 ----
  # but some places will have web servers running on multiple ports like in 
  # the example below
  
+ # The preprocessor internally checks for the IIS unicode and the CGI NULL
+ # byte attack. This can be disabled by providing "-unicode" or "-cginull"
+ # arguments to the preprocessor.
+ 
  preprocessor http_decode: 80 443 8080
  
  


More information about the Snort-devel mailing list