[Snort-sigs] Interesting false positive for HTTP_Connect

Matthew Jonkman matt at ...2436...
Sun Jul 18 14:01:03 EDT 2004


My bad, fixed.

Thanks

Matt

Jason wrote:
> The space after CONNECT got removed.
> 
> it should be content:"CONNECT " not content:"CONNECT"
> 
> For that matter it should be done up something like
> 
> content:"CONNECT"; nocase; pcre:"/^CONNECT\s*/smi"
> 
> but that will have to wait till later.
> 
> 
> Matthew Jonkman wrote:
> 
>> Take that abck, tested it before posting it and it's still hitting on 
>> every http request.
>>
>> Jason, do you think it's hitting on "Connection: Keep Alive" in these 
>> packets? Since there's a nocase on the connect it would hit here.
>>
>> Matt
>>
>> Matthew Jonkman wrote:
>>
>>> Jason wrote:
>>>
>>>> So I should not do rules after 6pm, not on weekends, and only when I 
>>>> have the time to test them, apologies to anyone that got inundated 
>>>> with crap alerts.
>>>
>>>
>>>
>>>
>>> My only rule is a 2 drink maximum before I post something. Not that 
>>> that's never been violated. Guess it's more of a "guideline" than a 
>>> rule.  :)
>>>
>>>>
>>>> Here is an updated version that fixes a problem with the alignment 
>>>> of HTTP/1. and adds within to the negative tests. I did not see any 
>>>> false positives across a few gigs of traffic and it fires when I hit 
>>>> a proxy connecting to a non standard web port. I also did not put in 
>>>> flow which is just plain stupid.
>>>
>>>
>>>
>>>
>>> The new version is posted on bleedingsnort and doing well. Thanks 
>>> Jason, great work.
>>>
>>> alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel 
>>> Attempt"; content:"CONNECT"; nocase; content:"|0d 0a|"; distance:0; 
>>> within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; 
>>> content:!"\:80"; distance:-11; within:4; content:"CONNECT"; nocase; 
>>> content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; 
>>> distance:-10; within:8; nocase; content:!"\:443"; distance:-12; 
>>> within:5; flow:to_server,established; sid:2000560; rev:2; )
>>>
>>> Matt
>>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by BEA Weblogic Workshop
>> FREE Java Enterprise J2EE developer tools!
>> Get your free copy of BEA WebLogic Workshop 8.1 today.
>> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list