[Snort-devel] Snort 184.108.40.206 Now Available
eoin.miller at ...3055...
Mon Nov 8 11:57:18 EST 2010
On 11/8/2010 4:45 PM, L0rd Ch0de1m0rt wrote:
> I am still experiencing HTTP stream reassembly issues when trying to
> match across multiple fragmented packets with snort 220.127.116.11.
> Specifically, this happens on a HTTP POST where the headers are in a
> different packet than the POST data. Consider the following rule you
> can use along with scapy to reproduce if you want:
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Incoming German POST
> to Batman"; flow:established,to_server; content:"POST"; http_method;
> uricontent:"/batcave/"; uricontent:"unicorns4sourcefire"; content:"|0d
> 0a|Accept-Language: de"; nocase; http_header; content:!"|0d 0a 0d
> 0a|not4batman=true&"; content:!"\; batsecret=sesstoken4robin";
> http_cookie; classtype:trojan-activity; sid:8008135; rev:17;)
> It alerts (b/c all the URI and HTTP header stuffs match in the initial
> packet) but it shouldn't alert b/c the HTTP POST data starts with
> 'not4batman=true&' (but the POST data is in a subsequent packet than
> the one containing the headers).
> Anyone else still having issues or have done more in-depth testing
> with 18.104.22.168 and the HTTP pre-processor?
> -L0rd C.
It was reported a while back by myself directly to SourceFire in late
August. I provided some PCAP's a few times and I am pretty sure they are
aware of the issue and are working to resolve it. They have fixed tons
of other stuff that really helps everyone out and I'm sure a fix for
this will surface into the publicly released source eventually. It
appears that the buffers created by the http_inspect preprocessor only
work at frame level instead of at the stream level. I finally put up a
blog post about it in late September here:
This is especially bad if you are using rules to block access to certain
domain names in the http_header buffer when the http_uri is very long
and the client is using MSIE as that puts the Host header entry at the
bottom of the http_header. Requests like this are very likely to exceed
the standard size MTU and get split across multiple frames. There should
be some chatter on the Snort lists from myself and some of the
dev/support guys recently as well.
More information about the Snort-devel