[Snort-devel] protected_content and replace?

Joshua Kinard kumba at ...2185...
Mon Oct 27 17:45:31 EDT 2014


Hmm, the manual needs to state that then.  It has no mentions that I can find
that 'replace' is invalid with the http modifiers for either 'content' or
'protected_content'.  The source code has these checks, however, in both
sp_replace.c and sp_pattern_match.c.

A quick fix for you guys to bug:

src/detection-plugins/sp_ceplace.c:64 in PayloadReplaceInit()

    if ( lastType ==  PLUGIN_PATTERN_MATCH_URI )
    {
        FatalError("%s(%d) => \"replace\" option is not supported "
                "with uricontent, nor in conjunction with http_uri, "
                "http_header, http_method http_cookie,"
                "http_raw_uri, http_raw_header, or "
                "http_raw_cookie modifiers.\n",
                file_name, file_line);
    }

This text needs to include 'http_stat_code', 'http_stat_method', and
'http_client_body'.


Has any thought been given to allowing 'length' to accept byte_extract variables?


Btw, wouldn't 'replace' offer another bypass of protected_content?  I.e., given
the below:

protected_content:"901890A8E9C8CF6D5A1A542B229FEBFF"; length:3; hash:md5;
replace:"XXX";

One could simulate network traffic until the replaced characters appear in the
packet, then the modified packet and original packet compared and the original
content match derived.  And then a speedier, more efficient fast_pattern rule
created in its place ;)

Cheers!,

--J


On 10/27/2014 09:45, Carter Waxman (cwaxman) wrote:
> Hi Joshua,
> 
> The replace modifier works with protected_content in the same way it works
> with content. It will work with regular payload matches, but not URI/HTTP
> buffer matches.
> 
> Thanks,
> Carter Waxman
> 
> On 10/25/14, 11:47 PM, "Joshua Kinard" <kumba at ...2185...> wrote:
> 
>>
>> I see this note in the manual for protected_content:
>>
>> The protected content keyword can be used with some (but not all) of the
>> content modifiers. Those not
>> supported include:
>> nocase
>> fast_pattern
>> depth
>> within
>>
>> I assume 'replace' should be on that list as well?  It's always been in a
>> different section of the manual, but it seems to behave like a modifier
>> keyword, since it affects the previous content match.



-- 
Joshua Kinard
Gentoo/MIPS
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And our
lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic




More information about the Snort-devel mailing list