[Snort-devel] HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION

Russ Combs rcombs at ...402...
Mon Aug 19 16:48:37 EDT 2013


Hey Bram - which version of Snort are you running?  I'm only getting 120:3
with 295-132.

On Fri, Aug 16, 2013 at 8:55 AM, Russ Combs <rcombs at ...402...> wrote:

> Thanks for reporting this.  I will investigate and get back to you.
>
> Russ
>
>
> On Fri, Aug 16, 2013 at 5:17 AM, Bram <bram-fabeg at ...3414...> wrote:
>
>> As indicated in the other message the configuration contains an error..
>>
>> 'preprocessor stream5_tcp: policy first, ports 80 8080'
>>
>> should be
>>
>> 'preprocessor stream5_tcp: policy first, ports both 80 8080'
>>
>> Running it with the updated conig shows:
>>
>>
>>
>>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r /tmp/120_8_2_80.cap 2>&1 | grep 120:
>>         08/12-18:21:01.997838  [**] [120:8:2] (http_inspect) INVALID
>> CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
>> 192.168.173.153:43668 -> 192.168.173.1:80
>>
>>         08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO
>> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
>> {TCP} 192.168.173.1:80 -> 192.168.173.153:43668
>>
>>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r /tmp/120_8_2_8080.cap 2>&1 | grep 120:
>>         08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID
>> CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
>> 192.168.173.153:54958 -> 192.168.173.1:8080
>>         08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO
>> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
>> {TCP} 192.168.173.1:8080 -> 192.168.173.153:54958
>>
>>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r /tmp/120_8_2_7000.cap 2>&1 | grep 120:
>>         08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO
>> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
>> {TCP} 192.168.173.1:7000 -> 192.168.173.153:36671
>>
>> This at least makes a bit more sense but I still feel the
>> 'HI_CLISRV_MSG_SIZE_EXCEPTION' alert is incorrect..
>> The 'HI_CLISRV_MSG_SIZE_EXCEPTION' alert links to CVE 2013-2028.
>>
>> From what I can tell reading CVE 2013-2028: this happens when the chunked
>> size is negative.
>> That is: that the value is positive when stored in an unsigned in
>> (obviously) but becomes negative when converting to a signed int.
>>
>> The code in preprocessors/HttpInspect/**utils/hi_paf.c 'hi_exec' does
>> seem to check the length/size.
>> However: this is not the code that generated the alert.
>>
>> The alert is generated by the 'hi_eoh' function:
>>     if ( s->flags & HIF_CHK )
>>     {
>>         hi_exec(s, ACT_CK0, 0);
>>         return PAF_SEARCH;
>>     }
>>     if ( (s->flags & (HIF_REQ|HIF_LEN)) )
>>         return PAF_FLUSH;
>>
>>     if ( (s->flags & HIF_V11) && (s->flags & HIF_RSP) )
>>     {
>>         hi_exec(s, ACT_LN0, 0);
>>         hi_paf_event_msg_size();
>>         return PAF_FLUSH;
>>     }
>>
>> If I read the code correctly:
>> * if there is a 'Transfer-Encoding: Chunked' header then the PAF_SEARCH
>> is returned (first if)
>> * if this is a request or if the 'Content-Length' header is set then
>> PAF_FLUSH is returned (second if)
>> * if this is a HTTP/1.1 response then the 'HI_CLISRV_MSG_SIZE_EXCEPTION'
>> is generated.
>>
>> I don't understand why it generates the event in that particular place..
>> From what I can tell this case should be handled by the
>> 'HI_SERVER_NO_CONTLEN' alert...
>>
>>
>> Best regards,
>>
>> Bram
>>
>>
>>
>> Quoting Bram <bram-fabeg at ...3414...>:
>>
>>  Hi,
>>>
>>>
>>> There appears to be a false positive with the
>>>  'HI_CLISRV_MSG_SIZE_EXCEPTION' alert.
>>> At the very least it displays some confusing/strange behaviour.
>>>
>>> Attached are three TCP dump files.
>>> The TCP session in the three dumps is exactly the same, the only
>>>  difference is in the port number (and the squence/ack numbers).
>>> (NOTE: this is a minimal version of the dump - this was triggered on
>>>  other traffic but the dump was made as tiny as possible)
>>>
>>> In the config file:
>>> * port 80 and port 8080 are handled the same.
>>> * port 7000 is listed as port for the 'http_inspect' preprocessor but
>>>  not listed in the 'stream5_tcp' preprocessor.
>>>
>>>
>>> Full configuration file:
>>>        dynamicpreprocessor directory /usr/lib/snort_**
>>> dynamicpreprocessor/
>>>        preprocessor stream5_global: \
>>>           track_tcp yes, \
>>>           track_udp no, \
>>>           track_icmp no
>>>        preprocessor stream5_tcp: policy first, ports 80 8080
>>>
>>>        preprocessor http_inspect: global iis_unicode_map unicode.map
>>> 1252  compress_depth 65535 decompress_depth 65535
>>>        preprocessor http_inspect_server: server default \
>>>            http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK
>>>  UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE
>>>  TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
>>>  BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST
>>>  SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>>>            chunk_length 500000 \
>>>            server_flow_depth 0 \
>>>            client_flow_depth 0 \
>>>            post_depth 65495 \
>>>            oversize_dir_length 500 \
>>>            max_header_length 4096 \
>>>            max_headers 100 \
>>>            max_spaces 0 \
>>>            small_chunk_length { 10 5 } \
>>>            ports { 80 7000 8080 } \
>>>            non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>            enable_cookie \
>>>            extended_response_inspection \
>>>            inspect_gzip \
>>>            normalize_utf \
>>>            unlimited_decompress \
>>>            normalize_javascript \
>>>            apache_whitespace no \
>>>            ascii no \
>>>            bare_byte no \
>>>            directory no \
>>>            double_decode no \
>>>            iis_backslash no \
>>>            iis_delimiter no \
>>>            iis_unicode no \
>>>            multi_slash no \
>>>            utf_8 no \
>>>            u_encode yes \
>>>            webroot no
>>>
>>>        alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"**; sid: 8; gid: 120;
>>> rev:  2; metadata: rule-type preproc; )
>>>        alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1;
>>>  metadata: rule-type preproc ;  )
>>>
>>>        output alert_fast: stdout
>>>
>>>
>>> Running it shows:
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/120_8_2_80.cap 2>&1 | grep 120:
>>>        08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO
>>>  CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
>>> {TCP} 192.168.173.1:80 -> 192.168.173.153:43668
>>>
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/120_8_2_7000.cap 2>&1 | grep 120:
>>>        08/12-18:19:21.036304  [**] [120:3:1] (http_inspect) NO
>>>  CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
>>> {TCP} 192.168.173.1:7000 -> 192.168.173.153:36671
>>>
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/120_8_2_8080.cap 2>&1 | grep 120:
>>>        08/09-10:00:25.993618  [**] [120:8:2] (http_inspect) INVALID
>>>  CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
>>> 192.168.173.153:54958 -> 192.168.173.1:8080
>>>        08/09-10:00:25.993471  [**] [120:3:1] (http_inspect) NO
>>>  CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  0]
>>> {TCP} 192.168.173.1:8080 -> 192.168.173.153:54958
>>>
>>> The 'NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE' alert is
>>>  expected.
>>> The 'INVALID CONTENT-LENGTH OR CHUNK SIZE' alert is unexpected...
>>>
>>>
>>> Looking further:
>>>
>>> * 120_8_2_80.cap:
>>>        'HI_SERVER_NO_CONTLEN' shown on packet 6
>>>
>>> * 120_8_2_7000.cap:
>>>        'HI_SERVER_NO_CONTLEN' shown on packet 6
>>>
>>> * 120_8_2_8080.cap:
>>>        'HI_CLISRV_MSG_SIZE_EXCEPTION' shown on packet 8
>>>        'HI_SERVER_NO_CONTLEN' shown on packet 10
>>>
>>> Why is the behaviour for port 80 different from the behaviour for port
>>> 8080?
>>> As far as I can see it's configured the same...
>>>
>>>
>>> Breaking in 'CheckFlushPolicyOnAck' with gdb shows:
>>>
>>>
>>> * 120_8_2_80.cap:
>>>        For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
>>>        For packets 3, 4, 5, 6, 7, 8 and 9: 'talker->flush_mgr.flush_**policy'
>>>  is set to 5 (STREAM_FLPOLICY_IGNORE)
>>>
>>> * 120_8_2_7000.cap:
>>>        For packets 1, 2 and 10: 'CheckFlushPolicyOnAck' never called
>>>        For packets 3, 4, 5, 6, 7, 8 and 9: 'talker->flush_mgr.flush_**policy'
>>>  is set to 5 (STREAM_FLPOLICY_IGNORE)
>>>
>>>
>>> * 120_8_2_8080.cap:
>>>        For packets 1 and 2: 'CheckFlushPolicyOnAck' never called
>>>        For packets 3, 4, 5, 6 and 7: 'talker->flush_mgr.flush_**policy'
>>> is set  to 6 (STREAM_FLPOLICY_PROTOCOL)
>>>        For packets 8: 'CheckFlushPolicyOnAck' called twice, first time
>>>  'talker->flush_mgr.flush_**policy' is set to 6
>>>  (STREAM_FLPOLICY_PROTOCOL), second time it's set to 1
>>>  (STREAM_FLPOLICY_FOOTPRINT)
>>>        For packets 9 and 10: 'talker->flush_mgr.flush_**policy' is set
>>> to 1  (STREAM_FLPOLICY_FOOTPRINT)
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Bram
>>>
>>>
>>
>>
>> ------------------------------**------------------------------**----
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130819/b6c0e5cb/attachment.html>


More information about the Snort-devel mailing list