[Snort-devel] HTTP Preprocessor: support for websockets

Russ Combs rcombs at ...402...
Fri Aug 16 09:04:48 EDT 2013


Thanks Bram.  I've opened a bug to address this.

Russ

On Fri, Aug 16, 2013 at 7:46 AM, Bram <bram-fabeg at ...3414...> wrote:

> Hi,
>
>
> Currently the HTTP Preprocessor fails to detect websockets (see -
> http://www.websocket.org )
> This causes snort to produce the alert 'HI_CLIENT_UNKNOWN_METHOD'.
>
> Attached are two dumps, both dumps were created using
> http://www.websocket.org/echo.**html <http://www.websocket.org/echo.html>but with different versions of chrome (with different versions of the
> websocket protocol)
>
> Config:
>         dynamicpreprocessor directory /usr/lib/snort_**
> dynamicpreprocessor/
>         preprocessor stream5_global: \
>            track_tcp yes, \
>            track_udp no, \
>            track_icmp no
>         preprocessor stream5_tcp: policy first, ports both 80
>
>         preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535
>         preprocessor http_inspect_server: server default \
>             http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK
> UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE
> TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>             chunk_length 500000 \
>             server_flow_depth 0 \
>             client_flow_depth 0 \
>             post_depth 65495 \
>             oversize_dir_length 500 \
>             max_header_length 4096 \
>             max_headers 100 \
>             max_spaces 0 \
>             small_chunk_length { 10 5 } \
>             ports { 80 } \
>             non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>             enable_cookie \
>             extended_response_inspection \
>             inspect_gzip \
>             normalize_utf \
>             unlimited_decompress \
>             normalize_javascript \
>             apache_whitespace no \
>             ascii no \
>             bare_byte no \
>             directory no \
>             double_decode no \
>             iis_backslash no \
>             iis_delimiter no \
>             iis_unicode no \
>             multi_slash no \
>             utf_8 no \
>             u_encode yes \
>             webroot no
>
>         alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119; rev:
> 1; metadata: rule-type preproc ; )
>
>         output alert_fast: stdout
>
> Running it shows:
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/websocket_A.cap 2>&1 | grep '119:'
>         08/12-15:57:18.473363  [**] [119:31:1] (http_inspect) UNKNOWN
> METHOD [**] [Priority: 0] {TCP} 10.10.1.1:44486 -> 174.129.224.73:80
>
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/websocket_B.cap 2>&1 | grep '119:'
>         08/16-14:08:07.908889  [**] [119:31:1] (http_inspect) UNKNOWN
> METHOD [**] [Priority: 0] {TCP} 10.10.1.1:56727 -> 174.129.224.73:80
>
>
> While the 'UNKNOWN METHOD' alert is technically correct it would be better
> if a specific alert was added for the upgrade to websockets.
> In addition to that: after the switch to Websockets all further (HTTP)
> alerts should be disabled on the socket (since it's no longer HTTP)
>
>
> Best regards,
>
> Bram
>
>
> ------------------------------**------------------------------**----
> This message was sent using IMP, the Internet Messaging Program.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130816/b7e1fc96/attachment.html>


More information about the Snort-devel mailing list