[Snort-devel] HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION

Bram bram-fabeg at ...3414...
Fri Aug 16 05:17:13 EDT 2013


As indicated in the other message the configuration contains an error..

'preprocessor stream5_tcp: policy first, ports 80 8080'

should be

'preprocessor stream5_tcp: policy first, ports both 80 8080'

Running it with the updated conig shows:


	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/120_8_2_80.cap 2>&1 | grep 120:
	08/12-18:21:01.997838  [**] [120:8:2] (http_inspect) INVALID  
CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}  
192.168.173.153:43668 -> 192.168.173.1:80
	08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO  
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
0] {TCP} 192.168.173.1:80 -> 192.168.173.153:43668

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/120_8_2_8080.cap 2>&1 | grep 120:
	08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID  
CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}  
192.168.173.153:54958 -> 192.168.173.1:8080
	08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO  
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
0] {TCP} 192.168.173.1:8080 -> 192.168.173.153:54958

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/120_8_2_7000.cap 2>&1 | grep 120:
	08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO  
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
0] {TCP} 192.168.173.1:7000 -> 192.168.173.153:36671

This at least makes a bit more sense but I still feel the  
'HI_CLISRV_MSG_SIZE_EXCEPTION' alert is incorrect..
The 'HI_CLISRV_MSG_SIZE_EXCEPTION' alert links to CVE 2013-2028.

 From what I can tell reading CVE 2013-2028: this happens when the  
chunked size is negative.
That is: that the value is positive when stored in an unsigned in  
(obviously) but becomes negative when converting to a signed int.

The code in preprocessors/HttpInspect/utils/hi_paf.c 'hi_exec' does  
seem to check the length/size.
However: this is not the code that generated the alert.

The alert is generated by the 'hi_eoh' function:
     if ( s->flags & HIF_CHK )
     {
         hi_exec(s, ACT_CK0, 0);
         return PAF_SEARCH;
     }
     if ( (s->flags & (HIF_REQ|HIF_LEN)) )
         return PAF_FLUSH;

     if ( (s->flags & HIF_V11) && (s->flags & HIF_RSP) )
     {
         hi_exec(s, ACT_LN0, 0);
         hi_paf_event_msg_size();
         return PAF_FLUSH;
     }

If I read the code correctly:
* if there is a 'Transfer-Encoding: Chunked' header then the  
PAF_SEARCH is returned (first if)
* if this is a request or if the 'Content-Length' header is set then  
PAF_FLUSH is returned (second if)
* if this is a HTTP/1.1 response then the  
'HI_CLISRV_MSG_SIZE_EXCEPTION' is generated.

I don't understand why it generates the event in that particular place..
 From what I can tell this case should be handled by the  
'HI_SERVER_NO_CONTLEN' alert...


Best regards,

Bram


Quoting Bram <bram-fabeg at ...3414...>:

> Hi,
>
>
> There appears to be a false positive with the   
> 'HI_CLISRV_MSG_SIZE_EXCEPTION' alert.
> At the very least it displays some confusing/strange behaviour.
>
> Attached are three TCP dump files.
> The TCP session in the three dumps is exactly the same, the only   
> difference is in the port number (and the squence/ack numbers).
> (NOTE: this is a minimal version of the dump - this was triggered on  
>  other traffic but the dump was made as tiny as possible)
>
> In the config file:
> * port 80 and port 8080 are handled the same.
> * port 7000 is listed as port for the 'http_inspect' preprocessor  
> but  not listed in the 'stream5_tcp' preprocessor.
>
>
> Full configuration file:
>        dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
>        preprocessor stream5_global: \
>           track_tcp yes, \
>           track_udp no, \
>           track_icmp no
>        preprocessor stream5_tcp: policy first, ports 80 8080
>
>        preprocessor http_inspect: global iis_unicode_map unicode.map  
> 1252  compress_depth 65535 decompress_depth 65535
>        preprocessor http_inspect_server: server default \
>            http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE  
> LOCK  UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS  
> HEAD DELETE  TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE  
> PROPFIND PROPPATCH  BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS  
> BITS_POST CCM_POST  SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA  
> } \
>            chunk_length 500000 \
>            server_flow_depth 0 \
>            client_flow_depth 0 \
>            post_depth 65495 \
>            oversize_dir_length 500 \
>            max_header_length 4096 \
>            max_headers 100 \
>            max_spaces 0 \
>            small_chunk_length { 10 5 } \
>            ports { 80 7000 8080 } \
>            non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>            enable_cookie \
>            extended_response_inspection \
>            inspect_gzip \
>            normalize_utf \
>            unlimited_decompress \
>            normalize_javascript \
>            apache_whitespace no \
>            ascii no \
>            bare_byte no \
>            directory no \
>            double_decode no \
>            iis_backslash no \
>            iis_delimiter no \
>            iis_unicode no \
>            multi_slash no \
>            utf_8 no \
>            u_encode yes \
>            webroot no
>
>        alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"; sid: 8; gid:  
> 120; rev:  2; metadata: rule-type preproc; )
>        alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev:  
> 1;  metadata: rule-type preproc ;  )
>
>        output alert_fast: stdout
>
>
> Running it shows:
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/120_8_2_80.cap 2>&1 | grep 120:
>        08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO   
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
>  0] {TCP} 192.168.173.1:80 -> 192.168.173.153:43668
>
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/120_8_2_7000.cap 2>&1 | grep 120:
>        08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO   
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
>  0] {TCP} 192.168.173.1:7000 -> 192.168.173.153:36671
>
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/120_8_2_8080.cap 2>&1 | grep 120:
>        08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID   
> CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}   
> 192.168.173.153:54958 -> 192.168.173.1:8080
>        08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO   
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
>  0] {TCP} 192.168.173.1:8080 -> 192.168.173.153:54958
>
> The 'NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE' alert  
> is  expected.
> The 'INVALID CONTENT-LENGTH OR CHUNK SIZE' alert is unexpected...
>
>
> Looking further:
>
> * 120_8_2_80.cap:
>        'HI_SERVER_NO_CONTLEN' shown on packet 6
>
> * 120_8_2_7000.cap:
>        'HI_SERVER_NO_CONTLEN' shown on packet 6
>
> * 120_8_2_8080.cap:
>        'HI_CLISRV_MSG_SIZE_EXCEPTION' shown on packet 8
>        'HI_SERVER_NO_CONTLEN' shown on packet 10
>
> Why is the behaviour for port 80 different from the behaviour for port 8080?
> As far as I can see it's configured the same...
>
>
> Breaking in 'CheckFlushPolicyOnAck' with gdb shows:
>
>
> * 120_8_2_80.cap:
>        For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
>        For packets 3, 4, 5, 6, 7, 8 and 9:  
> 'talker->flush_mgr.flush_policy'  is set to 5 (STREAM_FLPOLICY_IGNORE)
>
> * 120_8_2_7000.cap:
>        For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
>        For packets 3, 4, 5, 6, 7, 8 and 9:  
> 'talker->flush_mgr.flush_policy'  is set to 5 (STREAM_FLPOLICY_IGNORE)
>
>
> * 120_8_2_8080.cap:
>        For packets 1 and 2: 'CheckFlushPolicyOnAck' never called
>        For packets 3, 4, 5, 6 and 7:  
> 'talker->flush_mgr.flush_policy' is set  to 6  
> (STREAM_FLPOLICY_PROTOCOL)
>        For packets 8: 'CheckFlushPolicyOnAck' called twice, first  
> time  'talker->flush_mgr.flush_policy' is set to 6   
> (STREAM_FLPOLICY_PROTOCOL), second time it's set to 1   
> (STREAM_FLPOLICY_FOOTPRINT)
>        For packets 9 and 10: 'talker->flush_mgr.flush_policy' is set  
> to 1  (STREAM_FLPOLICY_FOOTPRINT)
>
>
>
> Best regards,
>
> Bram
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list