[Snort-devel] Patch for snort 2.8.3.1 - Decompressing Gziped HTTP responses

Breno Silva breno.silva at ...2499...
Thu Dec 25 08:32:14 EST 2008


Snort community,


I finished my patch for snort 2.8.3.1 that will decompress HTTP gziped
responses. It will help us to detect HTTP client side exploits inside gziped
connections.
I patched my snort sensors and it is working well at this moment. Hope we
have help you to have this feature in the future.
I sent it for SourceFire VTR ( Alex and Matthew ), and probably snort core
team already have this patch. I´m posting it here now for all the snort
developers.

I´m suggesting the following modifications:
- http_uncompress_gzip.h  :  here we have almost all functions to decompress
gziped http packets
- snort_httpinspect.diff : our main code
- spp_httpinspect.diff and hi_include : we added gzip stats

I tested the code exploiting a Windows box downloading a milw0rm client side
exploit :

  http://www.milw0rm.com/exploits/7477

The VRT rule (15126: rev 3) now works well against this kind of connection:

Dec 23 14:41:35 estreamerAgent snort: [1:15126:3] WEB-CLIENT Internet
Explorer nested span tag memory corruption attempt [Classification:
Attempted User Privilege Gain] [Priority: 1]: {TCP}
76.74.9.18:80<http://76.74.9.18/>-> xxx.61.154.128:1263

And we check  for gziped stats:

TTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                   0
    GET methods:                    2
    Headers extracted:              2
    Header Cookies extracted:       0
    Post parameters extracted:      0
    Unicode:                        0
*    Gziped Packets:                 1   *
    Double unicode:                 0
    Non-ASCII representable:        0
    Base 36:                        0
    Directory traversals:           0
    Extra slashes ("//"):           0
    Self-referencing paths ("./"):  0
    Total packets processed:        3
PS: Link with zlib to make it work.

Cheers,

Breno Silva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20081225/1c1a7644/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpinspect_gzip_patch-snort_2.8.3.1.tar
Type: application/x-tar
Size: 20480 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20081225/1c1a7644/attachment.tar>


More information about the Snort-devel mailing list