[Snort-devel] HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION

Bram bram-fabeg at ...3414...
Tue Aug 20 03:12:25 EDT 2013


Hi Russ,


When I reported it I was using snort 2.9.5.
I just retested it with snort 2.9.5.3 (compiled with -O0 and without  
patches) and it behaves the same.

Mentioning it just in case: did you fix the original config? to  
trigger this with the '120_8_2_80.cap' file the config ('preprocessor  
stream5_tcp') needs to be fixed...

To avoid any confusion:

$ snort -V

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.5.3 GRE (Build 132)
    ''''    By Martin Roesch & The Snort Team:  
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.3.0
            Using PCRE version: 8.32 2012-11-30
            Using ZLIB version: 1.2.8


(fixed) config:
	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
	preprocessor stream5_global: \
	   track_tcp yes, \
	   track_udp no, \
	   track_icmp no
	preprocessor stream5_tcp: policy first, ports both 80 8080

	preprocessor http_inspect: global iis_unicode_map unicode.map 1252  
compress_depth 65535 decompress_depth 65535
	preprocessor http_inspect_server: server default \
	    http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK  
UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE  
TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH  
BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST  
SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
	    chunk_length 500000 \
	    server_flow_depth 0 \
	    client_flow_depth 0 \
	    post_depth 65495 \
	    oversize_dir_length 500 \
	    max_header_length 4096 \
	    max_headers 100 \
	    max_spaces 0 \
	    small_chunk_length { 10 5 } \
	    ports { 80 7000 8080 } \
	    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
	    enable_cookie \
	    extended_response_inspection \
	    inspect_gzip \
	    normalize_utf \
	    unlimited_decompress \
	    normalize_javascript \
	    apache_whitespace no \
	    ascii no \
	    bare_byte no \
	    directory no \
	    double_decode no \
	    iis_backslash no \
	    iis_delimiter no \
	    iis_unicode no \
	    multi_slash no \
	    utf_8 no \
	    u_encode yes \
	    webroot no

	alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"; sid: 8; gid: 120; rev:  
2; metadata: rule-type preproc; )
	alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1;  
metadata: rule-type preproc ;  )

	output alert_fast: stdout


Running it:

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/120_8_2_80.cap 2>&1  | grep '120:'
	08/12-18:21:01.997838  [**] [120:8:2] (http_inspect) INVALID  
CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}  
192.168.173.153:43668 -> 192.168.173.1:80
	08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO  
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority:  
0] {TCP} 192.168.173.1:80 -> 192.168.173.153:43668

Comparing 'src/preprocessors/HttpInspect/utils/hi_paf.c' between snort  
2.9.5 and snort 2.9.5.3 shows no relevant change..
So this behaviour should be reproducible on both 2.9.5 and 2.9.5.3 (as  
shown above).


Best regards,

Bram

Quoting Russ Combs <rcombs at ...402...>:
>
> Hey Bram - which version of Snort are you running?  I'm only getting 120:3
> with 295-132.
>
> On Fri, Aug 16, 2013 at 8:55 AM, Russ Combs <rcombs at ...402...> wrote:
>
>> Thanks for reporting this.  I will investigate and get back to you.
>>
>> Russ
>>
>>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list