[Snort-sigs] [AUTO IP] Re: Question about content

Matt Olney molney at ...435...
Tue Dec 1 14:29:53 EST 2009


One of the list members asked a question about why I chose to add the
"nocase" modifier the http_method content match.  I thought it was a
pretty quality question, so I'm pasting my answer here:

"We constrain to buffers, in this case the http_method buffer, to avoid
false positives and to increase the speed of detection.  This is
because the data in the buffer is shorter and we know that we're
looking in that data.

We nocase to avoid false negatives.  For example:

[molney at ...3412... ~]$ telnet www.sourcefire.com 80
Trying 68.177.102.22...
Connected to www.sourcefire.com (68.177.102.22).
Escape character is '^]'.
get
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

We spend a lot of time working out evasion cases.  It is very, very
trivial in many cases to subtly adjust the attack to work with the
server and bypass detection.  This involves a lot of core body
knowledge in the protocols (bmc and phoo are
particularly strong in this area) and some testing.

An interesting aside:

[molney at ...3412... whitehat]$ telnet www.sourcefire.com 80
Trying 68.177.102.22...
Connected to www.sourcefire.com (68.177.102.22).
Escape character is '^]'.
gEt
<html><body><h1>500 Internal Server Error</h1></body></html>Connection
closed by foreign host.
[molney at ...3412... whitehat]$ telnet www.sourcefire.com 80
Trying 68.177.102.22...
Connected to www.sourcefire.com (68.177.102.22).
Escape character is '^]'.
Get
<html><body><h1>500 Internal Server Error</h1></body></html>Connection
closed by foreign host.

We never trust a server to behave in the manner that the RFCs require,
nor do we anticipate that clients will only act in the manner the RFCs
outline.  In fact, our experience shows that there are very few
circumstances where vendors are completely RFC compliant and RFC
restricted.

Hope that answers your question,

Matt"




More information about the Snort-sigs mailing list