[Snort-sigs] Apache Proxy

Alex Kirk alex.kirk at ...435...
Fri Jan 14 06:35:24 EST 2005


Actually, these rules are never going to fire -- at least not under 
normal circumstances where clients are following RFC 2616 
(http://www.faqs.org/rfcs/rfc2616.html). GET requests look like this 
when they come across the wire:

GET /path/to/file.html HTTP/1.1

Clients never need to transmit the http://<host> portion of a URL: 
http:// is obvious because the packet is being received by an HTTP 
server, and <host> is either implied from wherever the packet is being 
sent, or stated explicitly with a directive of

Host: www.example.com

somewhere following the GET request (most likely immediately after it).

Even if they did fire, though, I'm a bit confused as to how these rules 
differentiate between a misconfigured proxy server and a standard web 
server. In theory, these would fire on every single request that comes 
into one of your web servers -- and if you run even a moderately busy 
server, you're going to be so deluged with these alerts that you'd be 
hard-pressed to pay attention to any attacks coming into your network, 
let alone sort out legitimate web requests from misconfigured proxy 

If you really want to do this, that's fine; however, this is the sort of 
thing that should go in local.rules, so that people who don't want the 
flood of alerts these would generate don't accidentally snag them when 
doing a regular update. Alternatively, if you can find anything that 
actually sets the requests you're looking for aside from regular web 
requests -- which I would think is unlikely -- then perhaps a rule could 
be crafted to acheive your goal here.

Alex Kirk
Research Analyst
Sourcefire, Inc.

>I used the following signatures after discovering a
>mis-configured Apache server allowing unlimited proxy requests
>to help track down a couple more.  From a research/curiousity
>perspective it also gives me the site the attempted-proxy-user
>was trying to reach, which has been interesting.
>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy GET
>Request"; flow:to_server,established; content:"GET http\://";
>depth:11; nocase; classtype:bad-unknown; sid:1000000; rev:1;)
>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy
>HEAD Request"; flow:to_server,established; content:"HEAD
>http\://"; depth:12; nocase; classtype:bad-unknown;
>sid:1000001; rev:1;)
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list