[Snort-devel] HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION

Russ Combs rcombs at ...402...
Thu Aug 22 17:24:59 EDT 2013


FYI - I reproduced this.  120:8 is being generated due to the lack of any
transfer-encoding, content-length, or multipart/byteranges because the
length should be indicated in HTTP/1.1 (the only other option is end of
session which defeats the purpose of persistent connections).  There is
definitely overlap between 120:8 and 120:3 due to the way the http_inspect
code has evolved.  The overlap and other issues around this will be fixed
in a future release.

On Tue, Aug 20, 2013 at 8:40 AM, Russ Combs <rcombs at ...402...> wrote:

>
>
> On Tue, Aug 20, 2013 at 3:12 AM, Bram <bram-fabeg at ...3414...> wrote:
>
>> Hi Russ,
>>
>>
>> When I reported it I was using snort 2.9.5.
>> I just retested it with snort 2.9.5.3 (compiled with -O0 and without
>> patches) and it behaves the same.
>>
>> Mentioning it just in case: did you fix the original config? to trigger
>> this with the '120_8_2_80.cap' file the config ('preprocessor stream5_tcp')
>> needs to be fixed...
>>
>
> Yes, I did use the corrected config.  I'll try again.
>
>>
>> To avoid any confusion:
>>
>> $ snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.5.3 GRE (Build 132)
>>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/
>> **snort-team <http://www.snort.org/snort/snort-team>
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.3.0
>>            Using PCRE version: 8.32 2012-11-30
>>            Using ZLIB version: 1.2.8
>>
>>
>> (fixed) config:
>>
>>         dynamicpreprocessor directory /usr/lib/snort_**
>> dynamicpreprocessor/
>>         preprocessor stream5_global: \
>>            track_tcp yes, \
>>            track_udp no, \
>>            track_icmp no
>>         preprocessor stream5_tcp: policy first, ports both 80 8080
>>
>>
>>         preprocessor http_inspect: global iis_unicode_map unicode.map
>> 1252 compress_depth 65535 decompress_depth 65535
>>         preprocessor http_inspect_server: server default \
>>             http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK
>> UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE
>> TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
>> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
>> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>>             chunk_length 500000 \
>>             server_flow_depth 0 \
>>             client_flow_depth 0 \
>>             post_depth 65495 \
>>             oversize_dir_length 500 \
>>             max_header_length 4096 \
>>             max_headers 100 \
>>             max_spaces 0 \
>>             small_chunk_length { 10 5 } \
>>             ports { 80 7000 8080 } \
>>             non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>             enable_cookie \
>>             extended_response_inspection \
>>             inspect_gzip \
>>             normalize_utf \
>>             unlimited_decompress \
>>             normalize_javascript \
>>             apache_whitespace no \
>>             ascii no \
>>             bare_byte no \
>>             directory no \
>>             double_decode no \
>>             iis_backslash no \
>>             iis_delimiter no \
>>             iis_unicode no \
>>             multi_slash no \
>>             utf_8 no \
>>             u_encode yes \
>>             webroot no
>>
>>         alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"**; sid: 8; gid: 120;
>> rev: 2; metadata: rule-type preproc; )
>>         alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1;
>> metadata: rule-type preproc ;  )
>>
>>         output alert_fast: stdout
>>
>>
>> Running it:
>>
>>
>>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r /tmp/120_8_2_80.cap 2>&1  | grep '120:'
>>         08/12-18:21:01.997838  [**] [120:8:2] (http_inspect) INVALID
>> CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
>> 192.168.173.153:43668 -> 192.168.173.1:80
>>         08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO
>> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
>> {TCP} 192.168.173.1:80 -> 192.168.173.153:43668
>>
>> Comparing 'src/preprocessors/**HttpInspect/utils/hi_paf.c' between snort
>> 2.9.5 and snort 2.9.5.3 shows no relevant change..
>> So this behaviour should be reproducible on both 2.9.5 and 2.9.5.3 (as
>> shown above).
>>
>>
>> Best regards,
>>
>> Bram
>>
>>
>> Quoting Russ Combs <rcombs at ...402...>:
>>
>>>
>>> Hey Bram - which version of Snort are you running?  I'm only getting
>>> 120:3
>>> with 295-132.
>>>
>>> On Fri, Aug 16, 2013 at 8:55 AM, Russ Combs <rcombs at ...402...>
>>> wrote:
>>>
>>>  Thanks for reporting this.  I will investigate and get back to you.
>>>>
>>>> Russ
>>>>
>>>>
>>>>
>>
>>
>> ------------------------------**------------------------------**----
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130822/88c9cd55/attachment.html>


More information about the Snort-devel mailing list