[Snort-sigs] http_header issues, Snort 2.8.5.3

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Thu Apr 1 11:24:35 EDT 2010


>From http://owl.english.purdue.edu/owl/resource/591/01/

"A" goes before all words that begin with consonants. ... With one
exception: Use "an" before unsounded h."

The "H" in "HTTP" is clearly sounded since we are saying the letter itself.

Hope this helps.

-L0rd Ch0de1m0rt

On 4/1/10, Jason Brvenik <jasonb at ...435...> wrote:
> It does seem odd that the cookie is not in the headers but I'm sure
> there is a reason that the choice was made.
>
> Dunno on the "a" VS "an" thing. By my read, the "H" is pronounced and
> therefore the use of "an" is appropriate.
>
> On Thu, Apr 1, 2010 at 10:58 AM, L0rd Ch0de1m0rt
> <l0rdch0de1m0rt at ...2420...> wrote:
>> Mike,
>>
>> Since you seem to be good at pointing out errors in the snort manual,
>> you may also want to note that the use of "an HTTP" is rampant
>> throughout it.  Might I suggest a little Find & Replace to the manual
>> maintainer(s)?   :)
>>
>> Cheers,
>>
>> -L0rd Ch0de1m0rt
>>
>> On 4/1/10, Mike Cox <mike.cox52 at ...2420...> wrote:
>>> Agreed, I'm shocked that the http_header buffer doesn't include the
>>> Cookie header.  It doesn't make sense.  According to the manual, "The
>>> http header keyword is a content modifier that restricts the search to
>>> the extracted Header fields of an HTTP client
>>> request." (as an aside, note the incorrect use of 'an' instead of 'a')
>>>  Why is the Cookie header a second class citizen in the HTTP headers
>>> world?  I understand having a separate http_cookie buffer but it
>>> doesn't mean Cookies are not headers anymore....
>>>
>>> -Mike Cox
>>>
>>> On 4/1/10, evilghost at ...3397... <evilghost at ...3397...> wrote:
>>>> Thanks Will for the speedy response, I apologize for not have read your
>>>> response to the list earlier.  I agree with you regarding this and it's
>>>> counter-intuitive to have the Cookie removed from the http_header
>>>> buffer.
>>>>
>>>> -evilghost
>>>>
>>>> Will Metcalf wrote:
>>>>> That because the cookie isn't included in the normalized header
>>>>> buffer, you can only get to via http_cookie modifer.  I know it
>>>>> doesn't make any sense to me either.  I sent the following e-mail to
>>>>> snort-devel on 3/17.
>>>>>
>>>>> "This is just my 2 cents, but I don't think the following behavior
>>>>> makes sense.  I think that even though you are providing http_cookie
>>>>> as a separate buffer to match on it should still be included in the
>>>>> http_header buffer, well because it is part of the headers.
>>>>>
>>>>> You can still match using the raw buffer but then you have to add
>>>>> additional checks to try and differentiate between the headers and the
>>>>> body which is why I'm guessing these modifiers were created in the
>>>>> first place.  I realize that in most cases header order doesn't matter
>>>>> but there may be instances where you can fingerprint a piece of
>>>>> automated code (read malware) using a rule similar to sid 69 below.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Will"
>>>>>
>>>>> #this matches but I loose the performance/accuracy benefit of only
>>>>> matching within the buffer containing http_headers.
>>>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>>>> content:"Cookie|3A|
>>>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>>>> 0a|Content-Type|3A| application"; classtype:bad-unknown; sid:68;
>>>>> rev:1;)
>>>>>
>>>>> #this fails to match as the cookie is not part of the http_header
>>>>> buffer but is part of the real http headers.
>>>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>>>> content:"Cookie|3A|
>>>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>>>> 0a|Content-Type|3A| application"; http_header; classtype:bad-unknown;
>>>>> sid:69; rev:1;)
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Apr 1, 2010 at 9:22 AM, evilghost at ...3397...
>>>>> <evilghost at ...3397...> wrote:
>>>>>
>>>>>> Hello, I am running Snort 2.8.5.3 and it appears that either
>>>>>> http_header; is not working correctly, does not work with a relative
>>>>>> keyword, or I do not understand http_header; correctly.  I am
>>>>>> attempting
>>>>>> to constrain a content match to the http_header for performance
>>>>>> reasons.
>>>>>>
>>>>>> Note, no need to recommend isdataat, I know there is data within 1024
>>>>>> bytes past the previous content match.
>>>>>>
>>>>>> Does NOT work:
>>>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>>>> nocase; http_header; content:"ieatbugs="; within:1024;
>>>>>>
>>>>>> Does work:
>>>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>>>> nocase; content:"ieatbugs="; within:1024;
>>>>>>
>>>>>> Comments/insight appreciated.
>>>>>>
>>>>>> -evilghost
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Download Intel® Parallel Studio Eval
>>>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>>>> proactively, and fine-tune applications for parallel performance.
>>>>>> See why Intel Parallel Studio got high marks during beta.
>>>>>> http://p.sf.net/sfu/intel-sw-dev
>>>>>> _______________________________________________
>>>>>> Snort-sigs mailing list
>>>>>> Snort-sigs at lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>>
>>>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download Intel® Parallel Studio Eval
>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>> proactively, and fine-tune applications for parallel performance.
>>>> See why Intel Parallel Studio got high marks during beta.
>>>> http://p.sf.net/sfu/intel-sw-dev
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>




More information about the Snort-sigs mailing list