[Snort-devel] what about anti-rules and whatnot?

Martin Roesch roesch at ...48...
Sat Apr 7 18:57:48 EDT 2001


Ok, this should be working properly now.  Somehow the "*url = (char)
temp" write of converted data disappeared somehow, I don't recall
zapping it but I was coding at 2AM...

   -Marty

Brian Caswell wrote:
> 
> Martin Roesch wrote:
> > >  cgi exploits (identifying that a request is a cgi, not referer, etc)
> >
> > Ok, I coded this one and it's in CVS...
> >
> > The keyword is "uricontent" and it works just like regular content with
> > the only difference being that if the http_decode preprocessor is
> > activated the URI section of the packet will be located and and searched
> > instead of searching the entire payload.  There's some pretty nasty tie
> > in's between the pattern matcher, http_decode plugin, and the decoder,
> > but I figure it's all in good fun (and you don't have to use it if you
> > don't want).
> >
> > FYI, if the http_decode plugin isn't turned on, it'll act just like the
> > normal content rule...
> >
> > Sample config:
> >
> > preprocessor http_decode: 80 1080 8080 3128
> >
> > alert tcp any any -> $HOME_NET 80 (uricontent: "phf"; msg: "PHF
> > attack!";)
> 
> And as usual, I broke this new addition.
> 
> The request "GET /cgi-bin%2f%2e/%70hf HTTP/1.0" is supposed to be
> converted into "GET /cgi-bin/phf HTTP/1.0"
> 
> http_decode no longer does this.  Using "uricontent" and "content" both
> fail because the content is no longer normalized.
> 
> This is the pertinent output from debug mode.
> 
> converted data:
> 47 45 54 20 2F 63 67 69 2D 62 69 6E 25 32 2F 25  GET /cgi-bin%2/%
> 68 66 3F 51 61 6C 69 61 73 3D 61 6C 73 20 48 54  hf?Qalias=als HT
> 54 50 2F 31 2E 30 0D 0A                          TP/1.0..
> 
> --
> Brian Caswell
> The MITRE Corporation




More information about the Snort-devel mailing list