[Snort-sigs] Interesting false positive for HTTP_Connect

Jason security at ...704...
Sun Jul 18 12:49:04 EDT 2004


The space after CONNECT got removed.

it should be content:"CONNECT " not content:"CONNECT"

For that matter it should be done up something like

content:"CONNECT"; nocase; pcre:"/^CONNECT\s*/smi"

but that will have to wait till later.


Matthew Jonkman wrote:

> Take that abck, tested it before posting it and it's still hitting on 
> every http request.
> 
> Jason, do you think it's hitting on "Connection: Keep Alive" in these 
> packets? Since there's a nocase on the connect it would hit here.
> 
> Matt
> 
> Matthew Jonkman wrote:
> 
>> Jason wrote:
>>
>>> So I should not do rules after 6pm, not on weekends, and only when I 
>>> have the time to test them, apologies to anyone that got inundated 
>>> with crap alerts.
>>
>>
>>
>> My only rule is a 2 drink maximum before I post something. Not that 
>> that's never been violated. Guess it's more of a "guideline" than a 
>> rule.  :)
>>
>>>
>>> Here is an updated version that fixes a problem with the alignment of 
>>> HTTP/1. and adds within to the negative tests. I did not see any 
>>> false positives across a few gigs of traffic and it fires when I hit 
>>> a proxy connecting to a non standard web port. I also did not put in 
>>> flow which is just plain stupid.
>>
>>
>>
>> The new version is posted on bleedingsnort and doing well. Thanks 
>> Jason, great work.
>>
>> alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel 
>> Attempt"; content:"CONNECT"; nocase; content:"|0d 0a|"; distance:0; 
>> within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; 
>> content:!"\:80"; distance:-11; within:4; content:"CONNECT"; nocase; 
>> content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; 
>> distance:-10; within:8; nocase; content:!"\:443"; distance:-12; 
>> within:5; flow:to_server,established; sid:2000560; rev:2; )
>>
>> Matt
>>
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list