[Snort-sigs] http_header issues, Snort 2.8.5.3

evilghost at ...3397... evilghost at ...3397...
Thu Apr 1 10:37:25 EDT 2010


Thanks Will for the speedy response, I apologize for not have read your 
response to the list earlier.  I agree with you regarding this and it's 
counter-intuitive to have the Cookie removed from the http_header buffer.

-evilghost

Will Metcalf wrote:
> That because the cookie isn't included in the normalized header
> buffer, you can only get to via http_cookie modifer.  I know it
> doesn't make any sense to me either.  I sent the following e-mail to
> snort-devel on 3/17.
>
> "This is just my 2 cents, but I don't think the following behavior
> makes sense.  I think that even though you are providing http_cookie
> as a separate buffer to match on it should still be included in the
> http_header buffer, well because it is part of the headers.
>
> You can still match using the raw buffer but then you have to add
> additional checks to try and differentiate between the headers and the
> body which is why I'm guessing these modifiers were created in the
> first place.  I realize that in most cases header order doesn't matter
> but there may be instances where you can fingerprint a piece of
> automated code (read malware) using a rule similar to sid 69 below.
>
> Regards,
>
> Will"
>
> #this matches but I loose the performance/accuracy benefit of only
> matching within the buffer containing http_headers.
> alert tcp any any -> any any (msg:"http_cookie + ";
> content:"Cookie|3A|
> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
> 0a|Content-Type|3A| application"; classtype:bad-unknown; sid:68;
> rev:1;)
>
> #this fails to match as the cookie is not part of the http_header
> buffer but is part of the real http headers.
> alert tcp any any -> any any (msg:"http_cookie + ";
> content:"Cookie|3A|
> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
> 0a|Content-Type|3A| application"; http_header; classtype:bad-unknown;
> sid:69; rev:1;)
>
>
>
> On Thu, Apr 1, 2010 at 9:22 AM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
>   
>> Hello, I am running Snort 2.8.5.3 and it appears that either
>> http_header; is not working correctly, does not work with a relative
>> keyword, or I do not understand http_header; correctly.  I am attempting
>> to constrain a content match to the http_header for performance reasons.
>>
>> Note, no need to recommend isdataat, I know there is data within 1024
>> bytes past the previous content match.
>>
>> Does NOT work:
>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>> nocase; http_header; content:"ieatbugs="; within:1024;
>>
>> Does work:
>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>> nocase; content:"ieatbugs="; within:1024;
>>
>> Comments/insight appreciated.
>>
>> -evilghost
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>     




More information about the Snort-sigs mailing list