[Snort-devel] BUG: corner case involving http_cookie

Will Metcalf william.metcalf at ...2499...
Wed Mar 24 14:50:35 EDT 2010

You guy's may not care but I found this sort of interesting. From what
I have seen the way snort normally deals with invalid content/modifier
combinations is that if it will attempt to apply the specified modifer
to the last content match specified in the rule that it considers
valid.  If no previous content match it considers valid can be found
it errors out with some error like.... "please specify a content
match" or something.  With the exception of http_uri it appears as if
you wedge a uricontent match between http_* and valid previous content
match the keyword is simply ignored.  So while I realize there is no
valid use case here, this behavior is inconsistent with the way that
snort tries to silently fix typos.



#test 69 http_cookie. uricontent
#very odd the following sig fails if depth is used in combination with
a http_cookie modifer with uricontent wedged in-between.  If
http_cookie is moved to the other side of the uricontent match the sig
fires or if the depth/offset modifer is removed the sig fires. It
appears as if in this corner case http_cookie is ignored. This
behavior differs from most content modifiers as it is ignored instead
of applied to a valid previous match.
#file oisfsearchnums.pcap
#alert tcp any any -> any any (msg:"e6504ae48c99f09df7f58996aacbb6b0
with uricontent + http_cookie";
content:"e6504ae48c99f09df7f58996aacbb6b0"; offset:563; depth:32;
uricontent:"/index.php/component/search/index.php"; http_cookie;
classtype:bad-unknown; sid:69; rev:1;)

More information about the Snort-devel mailing list