[Snort-sigs] http_header issues, Snort 2.8.5.3

Jason Brvenik jasonb at ...435...
Thu Apr 1 11:46:23 EDT 2010


Being pedantic would be citing the proper use from a literary guide,
not an RFC or two. It is an ArrEffSee after all.

Before English was Americanized, the h was almost always silent and
thus the rule of using an before an H was steadfast. L0rd is correct
on modern usage and it tweaks me as much as the loss of an and or or
following a comma in a series.

The usage is neither here nor there I suppose. I would like to see the
grammar king (king is really a substitution) chime in.

On Thu, Apr 1, 2010 at 10:53 AM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> I hate to be pedantic, looks like RFC 2616, RFC 2396, etc use "a HTTP"
> such as "... MUST NOT establish a HTTP ...", "... engine on a HTTP ..", etc.
>
> Who knows.  I would like some insight into why the cookies were excluded
> from http_header aside from the obvious redundancy regarding the
> precision in http_cookie;
>
> -evilghost
>
> Jason Brvenik wrote:
>> It does seem odd that the cookie is not in the headers but I'm sure
>> there is a reason that the choice was made.
>>
>> Dunno on the "a" VS "an" thing. By my read, the "H" is pronounced and
>> therefore the use of "an" is appropriate.
>>
>> On Thu, Apr 1, 2010 at 10:58 AM, L0rd Ch0de1m0rt
>> <l0rdch0de1m0rt at ...2420...> wrote:
>>
>>> Mike,
>>>
>>> Since you seem to be good at pointing out errors in the snort manual,
>>> you may also want to note that the use of "an HTTP" is rampant
>>> throughout it.  Might I suggest a little Find & Replace to the manual
>>> maintainer(s)?   :)
>>>
>>> Cheers,
>>>
>>> -L0rd Ch0de1m0rt
>>>
>>> On 4/1/10, Mike Cox <mike.cox52 at ...2420...> wrote:
>>>
>>>> Agreed, I'm shocked that the http_header buffer doesn't include the
>>>> Cookie header.  It doesn't make sense.  According to the manual, "The
>>>> http header keyword is a content modifier that restricts the search to
>>>> the extracted Header fields of an HTTP client
>>>> request." (as an aside, note the incorrect use of 'an' instead of 'a')
>>>>  Why is the Cookie header a second class citizen in the HTTP headers
>>>> world?  I understand having a separate http_cookie buffer but it
>>>> doesn't mean Cookies are not headers anymore....
>>>>
>>>> -Mike Cox
>>>>
>>>> On 4/1/10, evilghost at ...3397... <evilghost at ...3397...> wrote:
>>>>
>>>>> Thanks Will for the speedy response, I apologize for not have read your
>>>>> response to the list earlier.  I agree with you regarding this and it's
>>>>> counter-intuitive to have the Cookie removed from the http_header buffer.
>>>>>
>>>>> -evilghost
>>>>>
>>>>> Will Metcalf wrote:
>>>>>
>>>>>> That because the cookie isn't included in the normalized header
>>>>>> buffer, you can only get to via http_cookie modifer.  I know it
>>>>>> doesn't make any sense to me either.  I sent the following e-mail to
>>>>>> snort-devel on 3/17.
>>>>>>
>>>>>> "This is just my 2 cents, but I don't think the following behavior
>>>>>> makes sense.  I think that even though you are providing http_cookie
>>>>>> as a separate buffer to match on it should still be included in the
>>>>>> http_header buffer, well because it is part of the headers.
>>>>>>
>>>>>> You can still match using the raw buffer but then you have to add
>>>>>> additional checks to try and differentiate between the headers and the
>>>>>> body which is why I'm guessing these modifiers were created in the
>>>>>> first place.  I realize that in most cases header order doesn't matter
>>>>>> but there may be instances where you can fingerprint a piece of
>>>>>> automated code (read malware) using a rule similar to sid 69 below.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Will"
>>>>>>
>>>>>> #this matches but I loose the performance/accuracy benefit of only
>>>>>> matching within the buffer containing http_headers.
>>>>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>>>>> content:"Cookie|3A|
>>>>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>>>>> 0a|Content-Type|3A| application"; classtype:bad-unknown; sid:68;
>>>>>> rev:1;)
>>>>>>
>>>>>> #this fails to match as the cookie is not part of the http_header
>>>>>> buffer but is part of the real http headers.
>>>>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>>>>> content:"Cookie|3A|
>>>>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>>>>> 0a|Content-Type|3A| application"; http_header; classtype:bad-unknown;
>>>>>> sid:69; rev:1;)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Apr 1, 2010 at 9:22 AM, evilghost at ...3397...
>>>>>> <evilghost at ...3397...> wrote:
>>>>>>
>>>>>>
>>>>>>> Hello, I am running Snort 2.8.5.3 and it appears that either
>>>>>>> http_header; is not working correctly, does not work with a relative
>>>>>>> keyword, or I do not understand http_header; correctly.  I am attempting
>>>>>>> to constrain a content match to the http_header for performance reasons.
>>>>>>>
>>>>>>> Note, no need to recommend isdataat, I know there is data within 1024
>>>>>>> bytes past the previous content match.
>>>>>>>
>>>>>>> Does NOT work:
>>>>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>>>>> nocase; http_header; content:"ieatbugs="; within:1024;
>>>>>>>
>>>>>>> Does work:
>>>>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>>>>> nocase; content:"ieatbugs="; within:1024;
>>>>>>>
>>>>>>> Comments/insight appreciated.
>>>>>>>
>>>>>>> -evilghost
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Download Intel® Parallel Studio Eval
>>>>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>>>>> proactively, and fine-tune applications for parallel performance.
>>>>>>> See why Intel Parallel Studio got high marks during beta.
>>>>>>> http://p.sf.net/sfu/intel-sw-dev
>>>>>>> _______________________________________________
>>>>>>> Snort-sigs mailing list
>>>>>>> Snort-sigs at lists.sourceforge.net
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Download Intel® Parallel Studio Eval
>>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>>> proactively, and fine-tune applications for parallel performance.
>>>>> See why Intel Parallel Studio got high marks during beta.
>>>>> http://p.sf.net/sfu/intel-sw-dev
>>>>> _______________________________________________
>>>>> Snort-sigs mailing list
>>>>> Snort-sigs at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>
>>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download Intel® Parallel Studio Eval
>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>> proactively, and fine-tune applications for parallel performance.
>>>> See why Intel Parallel Studio got high marks during beta.
>>>> http://p.sf.net/sfu/intel-sw-dev
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>




More information about the Snort-sigs mailing list