[Snort-devel] HTTP preprocessor: TCP retransmissions of requests body causes (incorrect) alerts

Bram bram-fabeg at ...3414...
Mon Sep 2 10:23:42 EDT 2013


Hi,


When a TCP packet of a HTTP request is retransmitted then it can  
causes alerts to be triggered incorrectly (AKA false positives).
This seems to happen only when a packet is retransmitted.

The attached dump was recreated using raw sockets based on an actual  
HTTP session.
The difference between the attached dump and the real traffic:
* less data
* the delay between packets is different
* port is different (5555 vs 80)

Config:
	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
	preprocessor stream5_global: \
	   track_tcp yes, \
	   track_udp no, \
	   track_icmp no
	preprocessor stream5_tcp: policy first, ports both 80 5555

	preprocessor http_inspect: global iis_unicode_map unicode.map 1252  
compress_depth 65535 decompress_depth 65535
	preprocessor http_inspect_server: server default \
	    http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK  
UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE  
TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH  
BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST  
SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
	    chunk_length 500000 \
	    server_flow_depth 0 \
	    client_flow_depth 0 \
	    post_depth 65495 \
	    oversize_dir_length 500 \
	    max_header_length 4096 \
	    max_headers 100 \
	    max_spaces 0 \
	    small_chunk_length { 10 5 } \
	    ports { 80 5555 } \
	    webroot no

	alert ( msg: "HI_CLIENT_UNESCAPED_SPACE_IN_URI"; sid:33; gid: 119;  
rev: 1; metadata: rule-type preproc ; )

	output alert_fast: stdout

Running it:
	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/http_body_retransmit.cap  2>&1 | grep '119:'
	09/02-16:52:20.309803  [**] [119:33:1] (http_inspect) UNESCAPED SPACE  
IN HTTP URI [**] [Priority: 0] {TCP} 192.168.173.153:5556 ->  
192.168.173.1:5555


Looking at it shows that the alert is triggered on packet 10 which is  
the 'TCP Retransmission' of the request body...

My *guess* is that this problem is not directly related to the  
'HI_CLIENT_UNESCAPED_SPACE_IN_URI' alert but that this is a more  
general problem..
That is: I believe it is related to how the packets got reassembled  
and that it is possible to trigger other alerts as well... but have  
not (yet at least) attempted this.



Best regards,

Bram


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: http_body_retransmit.cap
Type: application/octet-stream
Size: 2523 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130902/eaa1eeec/attachment.obj>


More information about the Snort-devel mailing list