[Snort-sigs] Apache Proxy

Alex Kirk alex.kirk at ...435...
Fri Jan 14 06:35:24 EST 2005


Adam,

Actually, these rules are never going to fire -- at least not under 
normal circumstances where clients are following RFC 2616 
(http://www.faqs.org/rfcs/rfc2616.html). GET requests look like this 
when they come across the wire:

GET /path/to/file.html HTTP/1.1

Clients never need to transmit the http://<host> portion of a URL: 
http:// is obvious because the packet is being received by an HTTP 
server, and <host> is either implied from wherever the packet is being 
sent, or stated explicitly with a directive of

Host: www.example.com

somewhere following the GET request (most likely immediately after it).

Even if they did fire, though, I'm a bit confused as to how these rules 
differentiate between a misconfigured proxy server and a standard web 
server. In theory, these would fire on every single request that comes 
into one of your web servers -- and if you run even a moderately busy 
server, you're going to be so deluged with these alerts that you'd be 
hard-pressed to pay attention to any attacks coming into your network, 
let alone sort out legitimate web requests from misconfigured proxy 
requests.

If you really want to do this, that's fine; however, this is the sort of 
thing that should go in local.rules, so that people who don't want the 
flood of alerts these would generate don't accidentally snag them when 
doing a regular update. Alternatively, if you can find anything that 
actually sets the requests you're looking for aside from regular web 
requests -- which I would think is unlikely -- then perhaps a rule could 
be crafted to acheive your goal here.

Alex Kirk
Research Analyst
Sourcefire, Inc.

>I used the following signatures after discovering a
>mis-configured Apache server allowing unlimited proxy requests
>to help track down a couple more.  From a research/curiousity
>perspective it also gives me the site the attempted-proxy-user
>was trying to reach, which has been interesting.
>
>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy GET
>Request"; flow:to_server,established; content:"GET http\://";
>depth:11; nocase; classtype:bad-unknown; sid:1000000; rev:1;)
>
>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy
>HEAD Request"; flow:to_server,established; content:"HEAD
>http\://"; depth:12; nocase; classtype:bad-unknown;
>sid:1000001; rev:1;)
>
>-Adam.
>
>
>
>-------------------------------------------------------
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  
>





More information about the Snort-sigs mailing list