[Snort-sigs] Is modifier depth:32 required in the sid rule no. 1102

tony at ...2576... tony at ...2576...
Thu Jun 24 12:35:53 EDT 2004


Doesn't the "uricontent" keyword act with the same modifiers as the
"content" keyword?
2.5.8 uricontent

The uricontent parameter in the snort rule language searches the
NORMALIZED request URI field. This means that if you are writing rules
that include things that are normalized, such as %2f or directory
traversals, these rules will not alert. The reason is that the things you
are looking for are normalized out of the URI buffer.

For example, the URI:

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver\end{verbatim}
will get normalized into:
\begin{verbatim}/winnt/system32/cmd.exe?/c+ver

Another example, the URI:
\begin{verbatim} /cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%252fp%68f?
\end{verbatim}
will get normalized into:
\begin{verbatim}/cgi-bin/phf?

When writing a uricontent rule, write the content that you want to find in
the context that the URI will be normalized. For example, if snort
normalizes directory traversals, do not include directory traversals.

You can write rules that look for the non-normalized content by using the
content option. (See Section 2.5.1)

For a description of the parameters to this function, see the content rule
options in Section 2.5.1. <<<---------------------

This option works in conjunction with the HTTP Inspect preprocessor
specified in Section 2.8.10.



> Hi!
>
>         Is modifier depth:32 required in the sid rule no. 1102 where there
> is no "content" keyword.
>         Details are presented below:
>
> Rule:-
>
> SID 	1102
> Message 	WEB-MISC Nessus 404 probe
> Signature 	alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established;
> uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301;
> classtype:web-application-attack; sid:1102; rev:7;)
>
> Manual:-
> 2.5.4 depth
>
> The depth keyword allows the rule writer to specify how far into a packet
> snort should search for the specified pattern. depth modifies the previous
> 'content' keyword in the rule.
>
> A depth of 5 would tell snort to only look look for the specified pattern
> within the first 5 bytes of the payload.
>
> As the depth keyword is a modifier to the previous 'content' keyword,
> there must be a content in the rule before 'depth' is specified.
>
>
> Thanks,
>
> Rajesh Kumar
> iPolicy Networks Pvt. Ltd.
> NSEZ, Noida, U.P., India-201305
> Tel: 0120-2567002-5 extn:- 168 (O), 0120-2573097(R)
> Fax: 0120-2568681
>





More information about the Snort-sigs mailing list