[Snort-sigs] http_header issues, Snort 2.8.5.3

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Thu Apr 1 10:58:24 EDT 2010


Mike,

Since you seem to be good at pointing out errors in the snort manual,
you may also want to note that the use of "an HTTP" is rampant
throughout it.  Might I suggest a little Find & Replace to the manual
maintainer(s)?   :)

Cheers,

-L0rd Ch0de1m0rt

On 4/1/10, Mike Cox <mike.cox52 at ...2420...> wrote:
> Agreed, I'm shocked that the http_header buffer doesn't include the
> Cookie header.  It doesn't make sense.  According to the manual, "The
> http header keyword is a content modifier that restricts the search to
> the extracted Header fields of an HTTP client
> request." (as an aside, note the incorrect use of 'an' instead of 'a')
>  Why is the Cookie header a second class citizen in the HTTP headers
> world?  I understand having a separate http_cookie buffer but it
> doesn't mean Cookies are not headers anymore....
>
> -Mike Cox
>
> On 4/1/10, evilghost at ...3397... <evilghost at ...3397...> wrote:
>> Thanks Will for the speedy response, I apologize for not have read your
>> response to the list earlier.  I agree with you regarding this and it's
>> counter-intuitive to have the Cookie removed from the http_header buffer.
>>
>> -evilghost
>>
>> Will Metcalf wrote:
>>> That because the cookie isn't included in the normalized header
>>> buffer, you can only get to via http_cookie modifer.  I know it
>>> doesn't make any sense to me either.  I sent the following e-mail to
>>> snort-devel on 3/17.
>>>
>>> "This is just my 2 cents, but I don't think the following behavior
>>> makes sense.  I think that even though you are providing http_cookie
>>> as a separate buffer to match on it should still be included in the
>>> http_header buffer, well because it is part of the headers.
>>>
>>> You can still match using the raw buffer but then you have to add
>>> additional checks to try and differentiate between the headers and the
>>> body which is why I'm guessing these modifiers were created in the
>>> first place.  I realize that in most cases header order doesn't matter
>>> but there may be instances where you can fingerprint a piece of
>>> automated code (read malware) using a rule similar to sid 69 below.
>>>
>>> Regards,
>>>
>>> Will"
>>>
>>> #this matches but I loose the performance/accuracy benefit of only
>>> matching within the buffer containing http_headers.
>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>> content:"Cookie|3A|
>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>> 0a|Content-Type|3A| application"; classtype:bad-unknown; sid:68;
>>> rev:1;)
>>>
>>> #this fails to match as the cookie is not part of the http_header
>>> buffer but is part of the real http headers.
>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>> content:"Cookie|3A|
>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>> 0a|Content-Type|3A| application"; http_header; classtype:bad-unknown;
>>> sid:69; rev:1;)
>>>
>>>
>>>
>>> On Thu, Apr 1, 2010 at 9:22 AM, evilghost at ...3397...
>>> <evilghost at ...3397...> wrote:
>>>
>>>> Hello, I am running Snort 2.8.5.3 and it appears that either
>>>> http_header; is not working correctly, does not work with a relative
>>>> keyword, or I do not understand http_header; correctly.  I am attempting
>>>> to constrain a content match to the http_header for performance reasons.
>>>>
>>>> Note, no need to recommend isdataat, I know there is data within 1024
>>>> bytes past the previous content match.
>>>>
>>>> Does NOT work:
>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>> nocase; http_header; content:"ieatbugs="; within:1024;
>>>>
>>>> Does work:
>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>> nocase; content:"ieatbugs="; within:1024;
>>>>
>>>> Comments/insight appreciated.
>>>>
>>>> -evilghost
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download Intel® Parallel Studio Eval
>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>> proactively, and fine-tune applications for parallel performance.
>>>> See why Intel Parallel Studio got high marks during beta.
>>>> http://p.sf.net/sfu/intel-sw-dev
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list