[Snort-sigs] Interesting false positive for HTTP_Connect

Matthew Jonkman matt at ...2436...
Sat Jul 17 11:52:01 EDT 2004


Getting a rather unusual false pos for the http connect tunnel rule 
Brandon Barnes sent up.

The rule is really close to being right I think, the other false 
positives I get I expect. But here's one that I find interesting. The 
target net is a bank, the traffic is a person hitting the non-ssl 
portion of their website:

000 : 47 45 54 20 2F 69 6D 67 2F 67 72 61 70 68 69 63   GET /img/graphic
010 : 5F 70 65 66 63 75 5F 6E 61 6D 65 2E 67 69 66 20   _xxxxx_name.gif
020 : 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74   HTTP/1.1..Accept
030 : 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20   : */*..Referer:
040 : 68 74 74 70 3A 2F 2F 70 75 72 64 75 65 65 66 63 http://<bankname>
050 : 75 2E 63 6F 6D 2F 0D 0A 41 63 63 65 70 74 2D 4C   x.com/..Accept-L
060 : 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A   anguage: en-us..
070 : 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69   User-Agent: Mozi
080 : 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69   lla/4.0 (compati
090 : 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 43   ble; MSIE 6.0; C
0a0 : 53 20 32 30 30 30 20 36 2E 30 3B 20 57 61 6C 2D   S 2000 6.0; Wal-
0b0 : 4D 61 72 74 20 43 6F 6E 6E 65 63 74 20 36 2E 30   Mart Connect 6.0
0c0 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31   ; Windows NT 5.1
0d0 : 3B 20 42 65 6C 6C 53 6F 75 74 68 2F 31 2E 30 2E   ; BellSouth/1.0.
0e0 : 30 29 0D 0A 43 6F 6F 6B 69 65 3A 20 43 46 49 44   0)..Cookie: CFID
0f0 : 3D 31 30 39 36 30 31 36 3B 20 43 46 54 4F 4B 45   =1096016; CFTOKE
100 : 4E 3D 34 38 33 39 33 36 34 33 0D 0A 48 6F 73 74   N=48393644..Host
110 : 3A 20 70 75 72 64 75 65 65 66 63 75 2E 63 6F 6D   : <bankname>.com
120 : 0D 0A 0D 0A                                       ....


Looks like the user agent fields are tripping the rule. But I'm curious 
as to what the application is that's sending the request. Maybe a 
walmart kiosk of some sort? Or maybe they've got a custom proxy for 
outbound traffic changing the username. Who really needs to know that 
Bellsouth and Walmart have something to do with the request. Unless this 
is some tracking junk bellsouth is packaging with broadband CD's or 
something.

The point is I think someone mentioned earlier that a within statement 
for netween the CONNECT and the http1.x would make the rule better. Have 
you tried that in your nets Brandon? Anyone know about what the max 
range should be between those?

matt





More information about the Snort-sigs mailing list