[Snort-devel] what about anti-rules and whatnot?
bmc at ...227...
Sat Apr 7 12:39:29 EDT 2001
Martin Roesch wrote:
> > cgi exploits (identifying that a request is a cgi, not referer, etc)
> Ok, I coded this one and it's in CVS...
> The keyword is "uricontent" and it works just like regular content with
> the only difference being that if the http_decode preprocessor is
> activated the URI section of the packet will be located and and searched
> instead of searching the entire payload. There's some pretty nasty tie
> in's between the pattern matcher, http_decode plugin, and the decoder,
> but I figure it's all in good fun (and you don't have to use it if you
> don't want).
> FYI, if the http_decode plugin isn't turned on, it'll act just like the
> normal content rule...
> Sample config:
> preprocessor http_decode: 80 1080 8080 3128
> alert tcp any any -> $HOME_NET 80 (uricontent: "phf"; msg: "PHF
And as usual, I broke this new addition.
The request "GET /cgi-bin%2f%2e/%70hf HTTP/1.0" is supposed to be
converted into "GET /cgi-bin/phf HTTP/1.0"
http_decode no longer does this. Using "uricontent" and "content" both
fail because the content is no longer normalized.
This is the pertinent output from debug mode.
47 45 54 20 2F 63 67 69 2D 62 69 6E 25 32 2F 25 GET /cgi-bin%2/%
68 66 3F 51 61 6C 69 61 73 3D 61 6C 73 20 48 54 hf?Qalias=als HT
54 50 2F 31 2E 30 0D 0A TP/1.0..
The MITRE Corporation
More information about the Snort-devel