[Snort-devel] NOT content and uricontent="?..." problems in Snort 2.0

Radek Mista radek at ...63...
Tue Mar 4 15:48:14 EST 2003


I ran both, Snort 1.9.0 and Snort 2.0 with http_decode on (preprocessor 
http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slas h 
full_whitespace). Just to make sure I changed "uricontent" keyword in the 
rule that triggered the alert to "content" and both Snort 1.9.0 and Snort 2.0 
generated alerts. Maybe there are some problems with the "uricontent" 
keyword? 

Thanks,

Radek


On Tuesday 04 March 2003 06:20 am, Daniel Roelker wrote:
> I haven't look in-depth at this, but what seems to be interesting here is
> that the question marks are encoded as %3F and if you don't have
> http_decode on then this won't alert.  Also, if you are using http_decode
> then make sure that you don't stop decoding at the parameter delimiter, and
> obviously make sure that you have ascii decoding turned on.  If that
> doesn't work, then let me know.
>
> Dan
>
> On 3/3/03 7:04 PM, "Radek Mista" <radek at ...63...> wrote:
> > Thanks for your help. Indeed #1 occurred because of the "within" keyword
> > (it seems that Snort 1.9 build 209 calculates the offset for "within"
> > from the beginning of a packet, and Snort 2.0 build 53 from the position
> > of last occurrence of string specified in previous content=<string>).
> >
> > For #2 the following is a sample packet payload (with the header data cut
> > off). Snort 1.9.0 build 209 alerted on it, and Snort 2.0 build 53 did
> > not.
> >
> > 0x0030   0000 0000 4745 5420 2f73 6372 6970 7473        ....GET./scripts
> > 0x0040   2f63 6d73 2f43 6d73 496e 6974 2e41 5350        /cms/CmsInit.ASP
> > 0x0050   3f49 443d 3230 3031 3031 2644 323d 2533        ?ID=200101&D2=%3
> > 0x0060   4625 3346 2533 4625 3346 2533 4625 3346        F%3F%3F%3F%3F%3F
> > 0x0070   2533 4625 3346 454a 2534 3025 3346 2533        %3F%3FEJ%40%3F%3
> > 0x0080   4625 3346 2533 4625 3346 2533 4625 3346        F%3F%3F%3F%3F%3F
> > 0x0090   2533 4625 3346 2533 4625 3346 2533 4625        %3F%3F%3F%3F%3F%
> > 0x00a0   3346 2533 4626 4157 3d32 3533 264c 563d        3F%3F&AW=253&LV=
> > 0x00b0   3332 3130 2643 553d 3932 3332 3420 4854        3210&CU=92324.HT
> > 0x00c0   5450 2f31 2e30 0d0a 4163 6365 7074 3a20        TP/1.0..Accept:.
> > 0x00d0   696d 6167 652f 6769 662c 2069 6d61 6765        image/gif,.image
> > 0x00e0   2f78 2d77 696e 646f 7773 2d62 6d70 2c20        /x-windows-bmp,.
> > 0x00f0   696d 6167 652f 6a70 6567 2c20 6170 706c        image/jpeg,.appl
> > 0x0100   6963 6174 696f 6e2f 782d 6874 6d6c 2c20        ication/x-html,.
> > 0x0110   2a2f 2a0d 0a41 6363 6570 742d 4c61 6e67        */*..Accept-Lang
> > 0x0120   7561 6765 3a20 656e 0d0a 5573 6572 2d41        uage:.en..User-A
> > 0x0130   6765 6e74 3a20 4d6f 7a69 6c6c 612f 342e        gent:.Mozilla/4.
> > 0x0140   3020 2863 6f6d 7061 7469 626c 653b 204d        0.(compatible;.M
> > 0x0150   5349 4520 362e 303b 2057 696e 646f 7773        SIE.6.0;.Windows
> > 0x0160   2039 383b 2057 696e 646f 7773 2039 7820        .98;.Windows.9x.
> >
> > Snort 1.9.0 alert:
> > [**] [1:1091:6] WEB-MISC ICQ Webfront HTTP DOS [**]
> > [Classification: Web Application Attack] [Priority: 1]
> > 05/24-15:47:18.506128 X.X.X.X:3174 -> Y.Y.Y.Y:80
> > TCP TTL:127 TOS:0x0 ID:18235 IpLen:20 DgmLen:362 DF
> > ***AP*** Seq: 0xF8B60859  Ack: 0xEF4FCFBD  Win: 0x4470  TcpLen: 20
> >
> > Triggered by the following rule:
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> > ICQ Webfront HTTP DOS"; flow:to_server,established;
> > uricontent:"??????????"; classtype:web-application-attack; sid:1091;
> > rev:6;)
> >
> >
> > Thanks,
> >
> > Radek
> >
> > On Monday 03 March 2003 06:07 am, Daniel Roelker wrote:
> >> I tried to reproduce #2, but works fine for me.  Also, for #1 we will
> >> need more information  like build numbers for 1.9 and 2.0, because the
> >> rule you are using includes a within: keyword and there has been some
> >> changes to this code recently, so I think the discrepency may be in
> >> there.
> >>
> >> Feel free to send packet dumps of these problems, so we can verify them.
> >>
> >> Thanks.
> >>
> >> Dan
> >>
> >> On 2/27/03 5:34 PM, "Radek Mista" <radek at ...63...> wrote:
> >>> Hello,
> >>>
> >>> I've been running comparison tests between Snort 1.9 and Snort 2.0 and
> >>> I noticed a couple of problems with Snort 2.0.
> >>>
> >>> 1)  Snort 2.0 did not alert on any rules with NOT content
> >>> (content:!"string"). For example, when run on the same data, Snort 1.9
> >>> reported the following:
> >>>
> >>> [**] [1:1734:6] FTP USER overflow attempt [**]
> >>> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> >>> 05/24-15:38:30.926650 X.X.X.X:61292 -> Y.Y.Y.Y:21
> >>> TCP TTL:126 TOS:0x0 ID:6247 IpLen:20 DgmLen:51 DF
> >>> ***AP*** Seq: 0x859EBD72  Ack: 0xE52E3E23  Win: 0x443F  TcpLen: 20
> >>>
> >>> Triggered by the following rule:
> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
> >>> attempt"; flow:to_server,established,no_stream;  content:"USER ";
> >>> nocase; content:!"|0a|"; within:100; reference:bugtraq,4638;
> >>> reference:cve,CAN-2000-0479; classtype:attempted-admin; sid:1734;
> >>> rev:6;)
> >>>
> >>> Whereas Snort 2.0 did not report anything.
> >>>
> >>>
> >>> 2) Snort 2.0 did not report any any rules with the question mark (?) as
> >>> the first character of uricontent.  For example, when run on the same
> >>> data, Snort 1.9 reported the following:
> >>>
> >>> [**] [1:1091:6] WEB-MISC ICQ Webfront HTTP DOS [**]
> >>> [Classification: Web Application Attack] [Priority: 1]
> >>> 05/24-15:47:18.506128 X.X.X.X:3174 -> Y.Y.Y.Y:80
> >>> TCP TTL:127 TOS:0x0 ID:18235 IpLen:20 DgmLen:362 DF
> >>> ***AP*** Seq: 0xF8B60859  Ack: 0xEF4FCFBD  Win: 0x4470  TcpLen: 20
> >>>
> >>> Triggered by the following rule:
> >>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> >>> ICQ Webfront HTTP DOS"; flow:to_server,established;
> >>> uricontent:"??????????"; classtype:web-application-attack; sid:1091;
> >>> rev:6;)
> >>>
> >>> There was no alert coming from Snort 2.0
> >>>
> >>> I was wondering if anybody experienced similar problems and if somebody
> >>> is working on fixes.
> >>>
> >>> Thanks,
> >>>
> >>> Radek
> >>>
> >>>
> >>> -------------------------------------------------------
> >>> This sf.net email is sponsored by:ThinkGeek
> >>> Welcome to geek heaven.
> >>> http://thinkgeek.com/sf
> >>> _______________________________________________
> >>> Snort-devel mailing list
> >>> Snort-devel at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> > -------------------------------------------------------
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Etnus, makers of TotalView, The
> > debugger for complex code. Debugging C/C++ programs can leave you feeling
> > lost and disoriented. TotalView can help you find your way. Available on
> > major UNIX and Linux platforms. Try it free. www.etnus.com
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list