[Snort-devel] http_gunzip preprocessor
gulfie at ...2843...
Tue Jan 3 13:15:08 EST 2006
On Tue, Jan 03, 2006 at 02:06:06PM -0500, Marc Norton wrote:
> Chris Sherwin of the Sourcefire-Snort Team is currently working on a
> pretty significant upgrade to http inspect. We're interested in talking
> about what specifically your looking for from this feature to build out
> the feature definition and requirements to make a detemination of wether
> we think we should implement it.
WMF can travel over more than http or gziped http. pop/imap/smtp being
a few good vectors. Is the plan to let libclamav catch these?
> This is a pretty cpu intensive task so
> we'd have to figure out how it helps amd whom it helps. Many situations
> with high bandwidth networks could not even turn this on, so we have to
> examine all of the issues. Is there a dfifference in need between
> inline and pure ids mode ? Does it only make sense if we have hardware
> accelleration ? etc...
There will be a large difference between inline / passive. When the
passive IDS starts droping packets, the state requirements will explode just
like when the flow table fills up. This is the fault of droping
packets and divergent state, not any new processor. Alerts cause many of
the same problems, yet we wouldn't want to not have alerts.
Good luck to you and Chris on whatever path is choose.
> Will Metcalf wrote:
> >Shouldn't be to hard to write, I would also like to see the preproc
> >split out the actual payload from the http header stuff. I'll look
> >into it, I promise nothing as I'm pretty busy these days.
> >On 1/2/06, Frank Knobbe <frank at ...2134...> wrote:
> >>the third version of the metasploit for the WMF issue is capable of
> >>gzipped HTTP responses. Any attack (and I have caught a few in the past)
> >>that runs over compressed HTTP responses is not detected by Snort.
> >>While a gunzip implementation in the http_inspect preprocessor is
> >>certainly harmful to performance, I believe the capability should be
> >>added nevertheless so that the user may enable it in times when it is
> >>needed. Currently, with the next, still unpatched WMF exploits using
> >>compressed HTTP, this capability is absolutely essential. Without it,
> >>Snort can not compete against other IDS systems that support
> >>decompression of gzipped HTTP traffic.
> >>So my question to the developers is: Will Snort receive this capability
> >>any time soon? Is anyone working on an http_inspect_gunzip preprocessor
> >>It is said that the Internet is a public utility. As such, it is best
> >>compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> >>against your ports.
> >>-----BEGIN PGP SIGNATURE-----
> >>Version: GnuPG v1.4.2 (FreeBSD)
> >>-----END PGP SIGNATURE-----
> >This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> >for problems? Stop! Download the new AJAX search engine that makes
> >searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> >Snort-devel mailing list
> >Snort-devel at lists.sourceforge.net
> Marc Norton Snort Team Lead
> Sourcefire,Inc 410-423-1924
> www.snort.org www.sourcefire.com
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel