[Snort-devel] Falses on 2011032/ET SCAN HTTP POST invalid method case?

livio Ricciulli livio at ...3255...
Thu Mar 22 16:02:38 EDT 2012


PF_RING hashes the packet header and load balances according to the
5-tuple. I do not think PF_RING is causing this issue. if it was,
nothing else would work..

On 03/22/2012 06:32 AM, Packet Hack wrote:
> I seem to be getting falses on this where the HTTP headers
> are not present, but a non-all-upcase 'post' appears in the
> body.
>
> 1) I would think that a 'post' not at the beginning of the of the packet
>    wouldn't get flagged as an HTTP method
>
> 2) I'm doing load-balancing with the PF_RING DAQ and I
>     was wondering if perhaps that would chop up the flows
>     so different snort processes would get chunks from the
>     same TCP stream, so the snort process that received this
>     packet wouldn't know it wasn't the first packet in the stream.
>     However, I'm also seeing this on a non-PF_RING-enabled
>     host.
>
> Snort info:
>
>   - version 2.9.2.1
>
>   - configure flags: CFLAGS="-O2 -I/opt/local/include"
>     LDFLAGS="-L/opt/local/lib -Wl,-rpath=/opt/local/lib" ./configure
>     --prefix=/opt/pf --enable-ipv6 --enable-zlib --enable-reload
>     --enable-flexresp3  --with-libpfring-includes=/opt/local/include
>     --with-libpfring-libraries=/opt/local/lib --enable-perfprofiling
>
>   - 1 PFRING-enabled sensor:
>      uname -a:
>        Linux<server name>
>        2.6.38-13-server #52-Ubuntu SMP Tue Nov 8 17:11:08 UTC 2011
>        x86_64 x86_64 x86_64 GNU/Linux
>      CL:
>        /opt/local/bin/snort -i eth5 --daq-dir=/opt/local/lib/daq --daq
>        pfring --daq-var clusterid=44 --daq-var bindcpu=3
>        -c /etc/snort/ufirt-snort-pf-ewan.conf -l /var/log/snort3 -R 3
>      Rules: 2865 ET and local rules
>
>   - 1 non-PFRING-enabled sensor:
>      uname -a:
>        Linux<server name>  2.6.32-33-server #72-Ubuntu SMP
>        Fri Jul 29 21:21:55 UTC 2011 x86_64 GNU/Linux
>      CL:
>        /opt/local/bin/snort -D -i eth1 --daq-dir=/opt/local/lib/daq --daq pcap
>        --daq-var clusterid=44 --daq-var bindcpu=1
>        -c /etc/snort/ufirt-snort-pf.conf -l /var/log/snort1 -R 1
>      Rules: 3452 ET and local rules
>
> Offending rule:
>
>   alert tcp $EXTERNAL_NET any ->  $HOME_NET $HTTP_PORTS (msg:"ET SCAN
>   HTTP POST invalid method case"; flow:established,to_server;
>   content:"post"; http_method; nocase; content:!"POST"; http_method;
>   reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
>   reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown;
>   sid:2011032; rev:4;)
>
> Actual text has been replaced with "<text>" .
>
> Pleae let me know if you need anything else.
>
> -- pckthck
>
> -------------------- Payloads --------------------
>
> ET SCAN HTTP POST invalid method case
>
>     <text>
>
>     ------WebKitFormBoundaryPDAhvzaUEdiWukiR
>     Content-Disposition: form-data; name="format"
>
>     1
>     ------WebKitFormBoundaryPDAhvzaUEdiWukiR
>     Content-Disposition: form-data; name="subscribe"
>
>     1
>     ------WebKitFormBoundaryPDAhvzaUEdiWukiR
>     Content-Disposition: form-data; name="attachment"; filename=""
>
>
>     ------WebKitFormBoundaryPDAhvzaUEdiWukiR
>     Content-Disposition: form-data; name="submitbutton"
>
>     Post to forum
>     ------WebKitFormBoundaryPDAhvzaUEdiWukiR--
>
> ET SCAN HTTP POST invalid method case
>
>     Post to forum
>     ------WebKitFormBoundarynriRWnylbxwtaofB--
>
> ET SCAN HTTP POST invalid method case
>
>     77098235644401115438165
>     Content-Disposition: form-data; name="message"
>
>     <text>
>     -----------------------------20072377098235644401115438165
>     Content-Disposition: form-data; name="format"
>
>     1
>     -----------------------------20072377098235644401115438165
>     Content-Disposition: form-data; name="subscribe"
>
>     0
>     -----------------------------20072377098235644401115438165
>     Content-Disposition: form-data; name="attachment"; filename=""
>     Content-Type: application/octet-stream
>
>
>     -----------------------------20072377098235644401115438165
>     Content-Disposition: form-data; name="submitbutton"
>
>     Post to forum
>     -----------------------------20072377098235644401115438165--
>
> ET SCAN HTTP POST invalid method case
>
>     4414578508781458777923
>     Content-Disposition: form-data; name="menu-item-description[44]"
>
>
>     -----------------------------10102754414578508781458777923
>     Content-Disposition: form-data; name="menu-item-db-id[44]"
>
>     44
>     -----------------------------10102754414578508781458777923
>     Content-Disposition: form-data; name="menu-item-object-id[44]"
>
>     43
>     -----------------------------10102754414578508781458777923
>     Content-Disposition: form-data; name="menu-item-object[44]"
>
>     page
>     -----------------------------10102754414578508781458777923
>     Content-Disposition: form-data; name="menu-item-parent-id[44]"
>
>     0
>     -----------------------------10102754414578508781458777923
>     Content-Disposition: form-data; name="menu-item-position[44]"
>
>     3
>     -----------------------------10102754414578508781458777923
>     Content-Disposition: form-data; name="menu-item-type[44]"
>
>     post_type
>     -----------------------------10102754414578508781458777923
>     Content-Disposition: form-data; name="save_menu"
>
>     Save Menu
>     -----------------------------10102754414578508781458777923
>     Content-Disposition: form-data; name="menu-locations[primary]"
>
>     3
>     -----------------------------10102754414578508781458777923--
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list