[Snort-devel] what about anti-rules and whatnot?

Brian Caswell bmc at ...227...
Sat Apr 7 12:39:29 EDT 2001


Martin Roesch wrote:
> >  cgi exploits (identifying that a request is a cgi, not referer, etc)
> 
> Ok, I coded this one and it's in CVS...
> 
> The keyword is "uricontent" and it works just like regular content with
> the only difference being that if the http_decode preprocessor is
> activated the URI section of the packet will be located and and searched
> instead of searching the entire payload.  There's some pretty nasty tie
> in's between the pattern matcher, http_decode plugin, and the decoder,
> but I figure it's all in good fun (and you don't have to use it if you
> don't want).
> 
> FYI, if the http_decode plugin isn't turned on, it'll act just like the
> normal content rule...
> 
> Sample config:
> 
> preprocessor http_decode: 80 1080 8080 3128
> 
> alert tcp any any -> $HOME_NET 80 (uricontent: "phf"; msg: "PHF
> attack!";)

And as usual, I broke this new addition. 

The request "GET /cgi-bin%2f%2e/%70hf HTTP/1.0" is supposed to be
converted into "GET /cgi-bin/phf HTTP/1.0"  

http_decode no longer does this.  Using "uricontent" and "content" both
fail because the content is no longer normalized.

This is the pertinent output from debug mode.

converted data:
47 45 54 20 2F 63 67 69 2D 62 69 6E 25 32 2F 25  GET /cgi-bin%2/%
68 66 3F 51 61 6C 69 61 73 3D 61 6C 73 20 48 54  hf?Qalias=als HT
54 50 2F 31 2E 30 0D 0A 			 TP/1.0..

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-devel mailing list