[Snort-devel] Falses on 2011032/ET SCAN HTTP POST invalid method case?

Packet Hack pckthck at ...2499...
Thu Mar 22 09:32:33 EDT 2012


I seem to be getting falses on this where the HTTP headers
are not present, but a non-all-upcase 'post' appears in the
body.

1) I would think that a 'post' not at the beginning of the of the packet
  wouldn't get flagged as an HTTP method

2) I'm doing load-balancing with the PF_RING DAQ and I
   was wondering if perhaps that would chop up the flows
   so different snort processes would get chunks from the
   same TCP stream, so the snort process that received this
   packet wouldn't know it wasn't the first packet in the stream.
   However, I'm also seeing this on a non-PF_RING-enabled
   host.

Snort info:

 - version 2.9.2.1

 - configure flags: CFLAGS="-O2 -I/opt/local/include"
   LDFLAGS="-L/opt/local/lib -Wl,-rpath=/opt/local/lib" ./configure
   --prefix=/opt/pf --enable-ipv6 --enable-zlib --enable-reload
   --enable-flexresp3  --with-libpfring-includes=/opt/local/include
   --with-libpfring-libraries=/opt/local/lib --enable-perfprofiling

 - 1 PFRING-enabled sensor:
    uname -a:
      Linux <server name>
      2.6.38-13-server #52-Ubuntu SMP Tue Nov 8 17:11:08 UTC 2011
      x86_64 x86_64 x86_64 GNU/Linux
    CL:
      /opt/local/bin/snort -i eth5 --daq-dir=/opt/local/lib/daq --daq
      pfring --daq-var clusterid=44 --daq-var bindcpu=3
      -c /etc/snort/ufirt-snort-pf-ewan.conf -l /var/log/snort3 -R 3
    Rules: 2865 ET and local rules

 - 1 non-PFRING-enabled sensor:
    uname -a:
      Linux <server name> 2.6.32-33-server #72-Ubuntu SMP
      Fri Jul 29 21:21:55 UTC 2011 x86_64 GNU/Linux
    CL:
      /opt/local/bin/snort -D -i eth1 --daq-dir=/opt/local/lib/daq --daq pcap
      --daq-var clusterid=44 --daq-var bindcpu=1
      -c /etc/snort/ufirt-snort-pf.conf -l /var/log/snort1 -R 1
    Rules: 3452 ET and local rules

Offending rule:

 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
 HTTP POST invalid method case"; flow:established,to_server;
 content:"post"; http_method; nocase; content:!"POST"; http_method;
 reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
 reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown;
 sid:2011032; rev:4;)

Actual text has been replaced with "<text>" .

Pleae let me know if you need anything else.

-- pckthck

-------------------- Payloads --------------------

ET SCAN HTTP POST invalid method case

   <text>

   ------WebKitFormBoundaryPDAhvzaUEdiWukiR
   Content-Disposition: form-data; name="format"

   1
   ------WebKitFormBoundaryPDAhvzaUEdiWukiR
   Content-Disposition: form-data; name="subscribe"

   1
   ------WebKitFormBoundaryPDAhvzaUEdiWukiR
   Content-Disposition: form-data; name="attachment"; filename=""


   ------WebKitFormBoundaryPDAhvzaUEdiWukiR
   Content-Disposition: form-data; name="submitbutton"

   Post to forum
   ------WebKitFormBoundaryPDAhvzaUEdiWukiR--

ET SCAN HTTP POST invalid method case

   Post to forum
   ------WebKitFormBoundarynriRWnylbxwtaofB--

ET SCAN HTTP POST invalid method case

   77098235644401115438165
   Content-Disposition: form-data; name="message"

   <text>
   -----------------------------20072377098235644401115438165
   Content-Disposition: form-data; name="format"

   1
   -----------------------------20072377098235644401115438165
   Content-Disposition: form-data; name="subscribe"

   0
   -----------------------------20072377098235644401115438165
   Content-Disposition: form-data; name="attachment"; filename=""
   Content-Type: application/octet-stream


   -----------------------------20072377098235644401115438165
   Content-Disposition: form-data; name="submitbutton"

   Post to forum
   -----------------------------20072377098235644401115438165--

ET SCAN HTTP POST invalid method case

   4414578508781458777923
   Content-Disposition: form-data; name="menu-item-description[44]"


   -----------------------------10102754414578508781458777923
   Content-Disposition: form-data; name="menu-item-db-id[44]"

   44
   -----------------------------10102754414578508781458777923
   Content-Disposition: form-data; name="menu-item-object-id[44]"

   43
   -----------------------------10102754414578508781458777923
   Content-Disposition: form-data; name="menu-item-object[44]"

   page
   -----------------------------10102754414578508781458777923
   Content-Disposition: form-data; name="menu-item-parent-id[44]"

   0
   -----------------------------10102754414578508781458777923
   Content-Disposition: form-data; name="menu-item-position[44]"

   3
   -----------------------------10102754414578508781458777923
   Content-Disposition: form-data; name="menu-item-type[44]"

   post_type
   -----------------------------10102754414578508781458777923
   Content-Disposition: form-data; name="save_menu"

   Save Menu
   -----------------------------10102754414578508781458777923
   Content-Disposition: form-data; name="menu-locations[primary]"

   3
   -----------------------------10102754414578508781458777923--




More information about the Snort-devel mailing list