[Snort-devel] Falses on 2011032/ET SCAN HTTP POST invalid method case?

Russ Combs rcombs at ...402...
Fri Mar 23 11:09:40 EDT 2012


Can you send a pcap?  That will help isolate any segmentation issues.

On Thu, Mar 22, 2012 at 4:02 PM, livio Ricciulli <livio at ...3255...>wrote:

> PF_RING hashes the packet header and load balances according to the
> 5-tuple. I do not think PF_RING is causing this issue. if it was,
> nothing else would work..
>
> On 03/22/2012 06:32 AM, Packet Hack wrote:
> > I seem to be getting falses on this where the HTTP headers
> > are not present, but a non-all-upcase 'post' appears in the
> > body.
> >
> > 1) I would think that a 'post' not at the beginning of the of the packet
> >    wouldn't get flagged as an HTTP method
> >
> > 2) I'm doing load-balancing with the PF_RING DAQ and I
> >     was wondering if perhaps that would chop up the flows
> >     so different snort processes would get chunks from the
> >     same TCP stream, so the snort process that received this
> >     packet wouldn't know it wasn't the first packet in the stream.
> >     However, I'm also seeing this on a non-PF_RING-enabled
> >     host.
> >
> > Snort info:
> >
> >   - version 2.9.2.1
> >
> >   - configure flags: CFLAGS="-O2 -I/opt/local/include"
> >     LDFLAGS="-L/opt/local/lib -Wl,-rpath=/opt/local/lib" ./configure
> >     --prefix=/opt/pf --enable-ipv6 --enable-zlib --enable-reload
> >     --enable-flexresp3  --with-libpfring-includes=/opt/local/include
> >     --with-libpfring-libraries=/opt/local/lib --enable-perfprofiling
> >
> >   - 1 PFRING-enabled sensor:
> >      uname -a:
> >        Linux<server name>
> >        2.6.38-13-server #52-Ubuntu SMP Tue Nov 8 17:11:08 UTC 2011
> >        x86_64 x86_64 x86_64 GNU/Linux
> >      CL:
> >        /opt/local/bin/snort -i eth5 --daq-dir=/opt/local/lib/daq --daq
> >        pfring --daq-var clusterid=44 --daq-var bindcpu=3
> >        -c /etc/snort/ufirt-snort-pf-ewan.conf -l /var/log/snort3 -R 3
> >      Rules: 2865 ET and local rules
> >
> >   - 1 non-PFRING-enabled sensor:
> >      uname -a:
> >        Linux<server name>  2.6.32-33-server #72-Ubuntu SMP
> >        Fri Jul 29 21:21:55 UTC 2011 x86_64 GNU/Linux
> >      CL:
> >        /opt/local/bin/snort -D -i eth1 --daq-dir=/opt/local/lib/daq
> --daq pcap
> >        --daq-var clusterid=44 --daq-var bindcpu=1
> >        -c /etc/snort/ufirt-snort-pf.conf -l /var/log/snort1 -R 1
> >      Rules: 3452 ET and local rules
> >
> > Offending rule:
> >
> >   alert tcp $EXTERNAL_NET any ->  $HOME_NET $HTTP_PORTS (msg:"ET SCAN
> >   HTTP POST invalid method case"; flow:established,to_server;
> >   content:"post"; http_method; nocase; content:!"POST"; http_method;
> >   reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
> >   reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown;
> >   sid:2011032; rev:4;)
> >
> > Actual text has been replaced with "<text>" .
> >
> > Pleae let me know if you need anything else.
> >
> > -- pckthck
> >
> > -------------------- Payloads --------------------
> >
> > ET SCAN HTTP POST invalid method case
> >
> >     <text>
> >
> >     ------WebKitFormBoundaryPDAhvzaUEdiWukiR
> >     Content-Disposition: form-data; name="format"
> >
> >     1
> >     ------WebKitFormBoundaryPDAhvzaUEdiWukiR
> >     Content-Disposition: form-data; name="subscribe"
> >
> >     1
> >     ------WebKitFormBoundaryPDAhvzaUEdiWukiR
> >     Content-Disposition: form-data; name="attachment"; filename=""
> >
> >
> >     ------WebKitFormBoundaryPDAhvzaUEdiWukiR
> >     Content-Disposition: form-data; name="submitbutton"
> >
> >     Post to forum
> >     ------WebKitFormBoundaryPDAhvzaUEdiWukiR--
> >
> > ET SCAN HTTP POST invalid method case
> >
> >     Post to forum
> >     ------WebKitFormBoundarynriRWnylbxwtaofB--
> >
> > ET SCAN HTTP POST invalid method case
> >
> >     77098235644401115438165
> >     Content-Disposition: form-data; name="message"
> >
> >     <text>
> >     -----------------------------20072377098235644401115438165
> >     Content-Disposition: form-data; name="format"
> >
> >     1
> >     -----------------------------20072377098235644401115438165
> >     Content-Disposition: form-data; name="subscribe"
> >
> >     0
> >     -----------------------------20072377098235644401115438165
> >     Content-Disposition: form-data; name="attachment"; filename=""
> >     Content-Type: application/octet-stream
> >
> >
> >     -----------------------------20072377098235644401115438165
> >     Content-Disposition: form-data; name="submitbutton"
> >
> >     Post to forum
> >     -----------------------------20072377098235644401115438165--
> >
> > ET SCAN HTTP POST invalid method case
> >
> >     4414578508781458777923
> >     Content-Disposition: form-data; name="menu-item-description[44]"
> >
> >
> >     -----------------------------10102754414578508781458777923
> >     Content-Disposition: form-data; name="menu-item-db-id[44]"
> >
> >     44
> >     -----------------------------10102754414578508781458777923
> >     Content-Disposition: form-data; name="menu-item-object-id[44]"
> >
> >     43
> >     -----------------------------10102754414578508781458777923
> >     Content-Disposition: form-data; name="menu-item-object[44]"
> >
> >     page
> >     -----------------------------10102754414578508781458777923
> >     Content-Disposition: form-data; name="menu-item-parent-id[44]"
> >
> >     0
> >     -----------------------------10102754414578508781458777923
> >     Content-Disposition: form-data; name="menu-item-position[44]"
> >
> >     3
> >     -----------------------------10102754414578508781458777923
> >     Content-Disposition: form-data; name="menu-item-type[44]"
> >
> >     post_type
> >     -----------------------------10102754414578508781458777923
> >     Content-Disposition: form-data; name="save_menu"
> >
> >     Save Menu
> >     -----------------------------10102754414578508781458777923
> >     Content-Disposition: form-data; name="menu-locations[primary]"
> >
> >     3
> >     -----------------------------10102754414578508781458777923--
> >
> >
> ------------------------------------------------------------------------------
> > This SF email is sponsosred by:
> > Try Windows Azure free for 90 days Click Here
> > http://p.sf.net/sfu/sfd2d-msazure
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120323/cdd18cfe/attachment.html>


More information about the Snort-devel mailing list