[Snort-devel] HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION

Bram bram-fabeg at ...3414...
Fri Aug 9 08:45:27 EDT 2013


Hi,


There appears to be a false positive with the  
'HI_CLISRV_MSG_SIZE_EXCEPTION' alert.
At the very least it displays some confusing/strange behaviour.

Attached are three TCP dump files.
The TCP session in the three dumps is exactly the same, the only  
difference is in the port number (and the squence/ack numbers).
(NOTE: this is a minimal version of the dump - this was triggered on  
other traffic but the dump was made as tiny as possible)

In the config file:
* port 80 and port 8080 are handled the same.
* port 7000 is listed as port for the 'http_inspect' preprocessor but  
not listed in the 'stream5_tcp' preprocessor.


Full configuration file:
	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
	preprocessor stream5_global: \
	   track_tcp yes, \
	   track_udp no, \
	   track_icmp no
	preprocessor stream5_tcp: policy first, ports 80 8080

	preprocessor http_inspect: global iis_unicode_map unicode.map 1252  
compress_depth 65535 decompress_depth 65535
	preprocessor http_inspect_server: server default \
	    http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK  
UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE  
TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH  
BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST  
SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
	    chunk_length 500000 \
	    server_flow_depth 0 \
	    client_flow_depth 0 \
	    post_depth 65495 \
	    oversize_dir_length 500 \
	    max_header_length 4096 \
	    max_headers 100 \
	    max_spaces 0 \
	    small_chunk_length { 10 5 } \
	    ports { 80 7000 8080 } \
	    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
	    enable_cookie \
	    extended_response_inspection \
	    inspect_gzip \
	    normalize_utf \
	    unlimited_decompress \
	    normalize_javascript \
	    apache_whitespace no \
	    ascii no \
	    bare_byte no \
	    directory no \
	    double_decode no \
	    iis_backslash no \
	    iis_delimiter no \
	    iis_unicode no \
	    multi_slash no \
	    utf_8 no \
	    u_encode yes \
	    webroot no

	alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"; sid: 8; gid: 120; rev:  
2; metadata: rule-type preproc; )
	alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1;  
metadata: rule-type preproc ;  )

	output alert_fast: stdout


Running it shows:
	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/120_8_2_80.cap 2>&1 | grep 120:
	08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO  
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
0] {TCP} 192.168.173.1:80 -> 192.168.173.153:43668

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/120_8_2_7000.cap 2>&1 | grep 120:
	08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO  
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
0] {TCP} 192.168.173.1:7000 -> 192.168.173.153:36671

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/120_8_2_8080.cap 2>&1 | grep 120:
	08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID  
CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}  
192.168.173.153:54958 -> 192.168.173.1:8080
	08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO  
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
0] {TCP} 192.168.173.1:8080 -> 192.168.173.153:54958

The 'NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE' alert is  
expected.
The 'INVALID CONTENT-LENGTH OR CHUNK SIZE' alert is unexpected...


Looking further:

* 120_8_2_80.cap:
	'HI_SERVER_NO_CONTLEN' shown on packet 6

* 120_8_2_7000.cap:
	'HI_SERVER_NO_CONTLEN' shown on packet 6

* 120_8_2_8080.cap:
	'HI_CLISRV_MSG_SIZE_EXCEPTION' shown on packet 8
	'HI_SERVER_NO_CONTLEN' shown on packet 10

Why is the behaviour for port 80 different from the behaviour for port 8080?
As far as I can see it's configured the same...


Breaking in 'CheckFlushPolicyOnAck' with gdb shows:


* 120_8_2_80.cap:
	For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
	For packets 3, 4, 5, 6, 7, 8 and 9: 'talker->flush_mgr.flush_policy'  
is set to 5 (STREAM_FLPOLICY_IGNORE)

* 120_8_2_7000.cap:
	For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
	For packets 3, 4, 5, 6, 7, 8 and 9: 'talker->flush_mgr.flush_policy'  
is set to 5 (STREAM_FLPOLICY_IGNORE)


* 120_8_2_8080.cap:
	For packets 1 and 2: 'CheckFlushPolicyOnAck' never called
	For packets 3, 4, 5, 6 and 7: 'talker->flush_mgr.flush_policy' is set  
to 6 (STREAM_FLPOLICY_PROTOCOL)
	For packets 8: 'CheckFlushPolicyOnAck' called twice, first time  
'talker->flush_mgr.flush_policy' is set to 6  
(STREAM_FLPOLICY_PROTOCOL), second time it's set to 1  
(STREAM_FLPOLICY_FOOTPRINT)
	For packets 9 and 10: 'talker->flush_mgr.flush_policy' is set to 1  
(STREAM_FLPOLICY_FOOTPRINT)



Best regards,

Bram


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 120_8_2_80.cap
Type: application/octet-stream
Size: 907 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130809/78703371/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 120_8_2_7000.cap
Type: application/octet-stream
Size: 907 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130809/78703371/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 120_8_2_8080.cap
Type: application/octet-stream
Size: 907 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130809/78703371/attachment-0002.obj>


More information about the Snort-devel mailing list