[Snort-sigs] false positive BLEEDING-EDGE HTTP CONNECT Tunnel Attempt

Matt Ostiguy ostiguy at ...2689...
Wed Aug 4 13:36:15 EDT 2004


The rule as I have it



alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel

Attempt"; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0;

within:1024; content:"HTTP/1."; distance:-10; within:8; nocase;

content:!"\:80"; distance:-11; within:4; content:"CONNECT "; nocase;

content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1.";

distance:-10; within:8; nocase; content:!"\:443"; distance:-12;

within:5; flow:to_server,established; sid:2000560; rev:4; )



My end user doing their part to revive the US economy (it appears to

be a flash applet to build out a Dodge):



000 : 47 45 54 20 2F 76 69 72 74 75 61 6C 73 68 6F 77   GET /virtualshow

010 : 72 6F 6F 6D 2F 6D 65 74 72 69 63 2F 76 73 68 5F   room/metric/vsh_

020 : 6D 65 74 72 69 63 2E 68 74 6D 6C 3F 76 73 68 74   metric.html?vsht

030 : 3D 32 30 30 34 30 37 32 31 30 38 35 32 34 36 26   =20040721085246&

040 : 76 73 68 66 3D 64 6F 64 67 65 26 76 73 68 79 3D   vshf=dodge&vshy=

050 : 30 35 26 76 73 68 6D 3D 6C 78 64 70 34 39 26 76   05&vshm=lxdp49&v

060 : 73 68 63 3D 55 43 6F 6E 6E 65 63 74 20 48 54 54   shc=UConnect HTT

070 : 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A   P/1.1..Accept: *

080 : 2F 2A 0D 0A 78 2D 66 6C 61 73 68 2D 76 65 72 73   /*..x-flash-vers

090 : 69 6F 6E 3A 20 37 2C 30 2C 31 39 2C 30 0D 0A 41   ion: 7,0,19,0..A

0a0 : 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20   ccept-Encoding:

0b0 : 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55   gzip, deflate..U

0c0 : 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C   ser-Agent: Mozil

0d0 : 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62   la/4.0 (compatib

0e0 : 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69   le; MSIE 6.0; Wi

0f0 : 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 2E 4E   ndows NT 5.1; .N

100 : 45 54 20 43 4C 52 20 31 2E 31 2E 34 33 32 32 29   ET CLR 1.1.4322)

110 : 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 64 6F 64 67   ..Host: www.dodg

120 : 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F   e.com..Connectio

130 : 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43   n: Keep-Alive..C

140 : 6F 6F 6B 69 65 3A 20 44 43 58 3D 31 32 39 2E 39   ookie: DCX=129.9

150 : 2E 31 35 35 2E 32 35 34 2E 32 32 31 39 35 31 30   .155.254.2219510

160 : 39 30 34 31 33 38 38 38 34 30 37 3B 20 43 50 3D   90413888407; CP=

170 : 2A 3B 20 73 65 73 65 73 73 69 6F 6E 69 64 3D 30   *; sesessionid=0

180 : 30 30 31 35 55 58 32 4A 47 51 57 42 55 4D 51 42   0015UX2JGQWBUMQB

190 : 58 44 43 31 4E 30 5A 51 58 41 0D 0A 0D 0A         XDC1N0ZQXA....



I am a complete snort rule n00b, but should there be a content:!"GET "

in there or some such?



Hopefully the formatting will come through



Matt

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!




More information about the Snort-sigs mailing list