[Snort-devel] HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION

Russ Combs rcombs at ...402...
Fri Aug 16 08:55:26 EDT 2013


Thanks for reporting this.  I will investigate and get back to you.

Russ

On Fri, Aug 16, 2013 at 5:17 AM, Bram <bram-fabeg at ...3414...> wrote:

> As indicated in the other message the configuration contains an error..
>
> 'preprocessor stream5_tcp: policy first, ports 80 8080'
>
> should be
>
> 'preprocessor stream5_tcp: policy first, ports both 80 8080'
>
> Running it with the updated conig shows:
>
>
>
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/120_8_2_80.cap 2>&1 | grep 120:
>         08/12-18:21:01.997838  [**] [120:8:2] (http_inspect) INVALID
> CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
> 192.168.173.153:43668 -> 192.168.173.1:80
>
>         08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
> {TCP} 192.168.173.1:80 -> 192.168.173.153:43668
>
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/120_8_2_8080.cap 2>&1 | grep 120:
>         08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID
> CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
> 192.168.173.153:54958 -> 192.168.173.1:8080
>         08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
> {TCP} 192.168.173.1:8080 -> 192.168.173.153:54958
>
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/120_8_2_7000.cap 2>&1 | grep 120:
>         08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
> {TCP} 192.168.173.1:7000 -> 192.168.173.153:36671
>
> This at least makes a bit more sense but I still feel the
> 'HI_CLISRV_MSG_SIZE_EXCEPTION' alert is incorrect..
> The 'HI_CLISRV_MSG_SIZE_EXCEPTION' alert links to CVE 2013-2028.
>
> From what I can tell reading CVE 2013-2028: this happens when the chunked
> size is negative.
> That is: that the value is positive when stored in an unsigned in
> (obviously) but becomes negative when converting to a signed int.
>
> The code in preprocessors/HttpInspect/**utils/hi_paf.c 'hi_exec' does
> seem to check the length/size.
> However: this is not the code that generated the alert.
>
> The alert is generated by the 'hi_eoh' function:
>     if ( s->flags & HIF_CHK )
>     {
>         hi_exec(s, ACT_CK0, 0);
>         return PAF_SEARCH;
>     }
>     if ( (s->flags & (HIF_REQ|HIF_LEN)) )
>         return PAF_FLUSH;
>
>     if ( (s->flags & HIF_V11) && (s->flags & HIF_RSP) )
>     {
>         hi_exec(s, ACT_LN0, 0);
>         hi_paf_event_msg_size();
>         return PAF_FLUSH;
>     }
>
> If I read the code correctly:
> * if there is a 'Transfer-Encoding: Chunked' header then the PAF_SEARCH is
> returned (first if)
> * if this is a request or if the 'Content-Length' header is set then
> PAF_FLUSH is returned (second if)
> * if this is a HTTP/1.1 response then the 'HI_CLISRV_MSG_SIZE_EXCEPTION'
> is generated.
>
> I don't understand why it generates the event in that particular place..
> From what I can tell this case should be handled by the
> 'HI_SERVER_NO_CONTLEN' alert...
>
>
> Best regards,
>
> Bram
>
>
>
> Quoting Bram <bram-fabeg at ...3414...>:
>
>  Hi,
>>
>>
>> There appears to be a false positive with the
>>  'HI_CLISRV_MSG_SIZE_EXCEPTION' alert.
>> At the very least it displays some confusing/strange behaviour.
>>
>> Attached are three TCP dump files.
>> The TCP session in the three dumps is exactly the same, the only
>>  difference is in the port number (and the squence/ack numbers).
>> (NOTE: this is a minimal version of the dump - this was triggered on
>>  other traffic but the dump was made as tiny as possible)
>>
>> In the config file:
>> * port 80 and port 8080 are handled the same.
>> * port 7000 is listed as port for the 'http_inspect' preprocessor but
>>  not listed in the 'stream5_tcp' preprocessor.
>>
>>
>> Full configuration file:
>>        dynamicpreprocessor directory /usr/lib/snort_**
>> dynamicpreprocessor/
>>        preprocessor stream5_global: \
>>           track_tcp yes, \
>>           track_udp no, \
>>           track_icmp no
>>        preprocessor stream5_tcp: policy first, ports 80 8080
>>
>>        preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>  compress_depth 65535 decompress_depth 65535
>>        preprocessor http_inspect_server: server default \
>>            http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK
>>  UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE
>>  TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
>>  BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST
>>  SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>>            chunk_length 500000 \
>>            server_flow_depth 0 \
>>            client_flow_depth 0 \
>>            post_depth 65495 \
>>            oversize_dir_length 500 \
>>            max_header_length 4096 \
>>            max_headers 100 \
>>            max_spaces 0 \
>>            small_chunk_length { 10 5 } \
>>            ports { 80 7000 8080 } \
>>            non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>            enable_cookie \
>>            extended_response_inspection \
>>            inspect_gzip \
>>            normalize_utf \
>>            unlimited_decompress \
>>            normalize_javascript \
>>            apache_whitespace no \
>>            ascii no \
>>            bare_byte no \
>>            directory no \
>>            double_decode no \
>>            iis_backslash no \
>>            iis_delimiter no \
>>            iis_unicode no \
>>            multi_slash no \
>>            utf_8 no \
>>            u_encode yes \
>>            webroot no
>>
>>        alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"**; sid: 8; gid: 120;
>> rev:  2; metadata: rule-type preproc; )
>>        alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1;
>>  metadata: rule-type preproc ;  )
>>
>>        output alert_fast: stdout
>>
>>
>> Running it shows:
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/120_8_2_80.cap 2>&1 | grep 120:
>>        08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO
>>  CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
>> {TCP} 192.168.173.1:80 -> 192.168.173.153:43668
>>
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/120_8_2_7000.cap 2>&1 | grep 120:
>>        08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO
>>  CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
>> {TCP} 192.168.173.1:7000 -> 192.168.173.153:36671
>>
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/120_8_2_8080.cap 2>&1 | grep 120:
>>        08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID
>>  CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
>> 192.168.173.153:54958 -> 192.168.173.1:8080
>>        08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO
>>  CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
>> {TCP} 192.168.173.1:8080 -> 192.168.173.153:54958
>>
>> The 'NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE' alert is
>>  expected.
>> The 'INVALID CONTENT-LENGTH OR CHUNK SIZE' alert is unexpected...
>>
>>
>> Looking further:
>>
>> * 120_8_2_80.cap:
>>        'HI_SERVER_NO_CONTLEN' shown on packet 6
>>
>> * 120_8_2_7000.cap:
>>        'HI_SERVER_NO_CONTLEN' shown on packet 6
>>
>> * 120_8_2_8080.cap:
>>        'HI_CLISRV_MSG_SIZE_EXCEPTION' shown on packet 8
>>        'HI_SERVER_NO_CONTLEN' shown on packet 10
>>
>> Why is the behaviour for port 80 different from the behaviour for port
>> 8080?
>> As far as I can see it's configured the same...
>>
>>
>> Breaking in 'CheckFlushPolicyOnAck' with gdb shows:
>>
>>
>> * 120_8_2_80.cap:
>>        For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
>>        For packets 3, 4, 5, 6, 7, 8 and 9: 'talker->flush_mgr.flush_**policy'
>>  is set to 5 (STREAM_FLPOLICY_IGNORE)
>>
>> * 120_8_2_7000.cap:
>>        For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
>>        For packets 3, 4, 5, 6, 7, 8 and 9: 'talker->flush_mgr.flush_**policy'
>>  is set to 5 (STREAM_FLPOLICY_IGNORE)
>>
>>
>> * 120_8_2_8080.cap:
>>        For packets 1 and 2: 'CheckFlushPolicyOnAck' never called
>>        For packets 3, 4, 5, 6 and 7: 'talker->flush_mgr.flush_**policy'
>> is set  to 6 (STREAM_FLPOLICY_PROTOCOL)
>>        For packets 8: 'CheckFlushPolicyOnAck' called twice, first time
>>  'talker->flush_mgr.flush_**policy' is set to 6
>>  (STREAM_FLPOLICY_PROTOCOL), second time it's set to 1
>>  (STREAM_FLPOLICY_FOOTPRINT)
>>        For packets 9 and 10: 'talker->flush_mgr.flush_**policy' is set
>> to 1  (STREAM_FLPOLICY_FOOTPRINT)
>>
>>
>>
>> Best regards,
>>
>> Bram
>>
>>
>
>
> ------------------------------**------------------------------**----
> This message was sent using IMP, the Internet Messaging Program.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130816/6df9e179/attachment.html>


More information about the Snort-devel mailing list