[Snort-sigs] http_header issues, Snort 2.8.5.3

Paul Schmehl pschmehl_lists at ...3425...
Thu Apr 1 12:56:08 EDT 2010


"An http" is correct, because the sound of a properly pronounced "h" is 
"a-e-ch".

http://www.tellmewhyfacts.com/2007/04/when-do-you-use-or.html

--On Thursday, April 01, 2010 09:58:24 -0500 L0rd Ch0de1m0rt 
<l0rdch0de1m0rt at ...2420...> wrote:

> Mike,
>
> Since you seem to be good at pointing out errors in the snort manual,
> you may also want to note that the use of "an HTTP" is rampant
> throughout it.  Might I suggest a little Find & Replace to the manual
> maintainer(s)?   :)
>
> Cheers,
>
> -L0rd Ch0de1m0rt
>
> On 4/1/10, Mike Cox <mike.cox52 at ...2420...> wrote:
>> Agreed, I'm shocked that the http_header buffer doesn't include the
>> Cookie header.  It doesn't make sense.  According to the manual, "The
>> http header keyword is a content modifier that restricts the search to
>> the extracted Header fields of an HTTP client
>> request." (as an aside, note the incorrect use of 'an' instead of 'a')
>>  Why is the Cookie header a second class citizen in the HTTP headers
>> world?  I understand having a separate http_cookie buffer but it
>> doesn't mean Cookies are not headers anymore....
>>
>> -Mike Cox
>>
>> On 4/1/10, evilghost at ...3397... <evilghost at ...3397...> wrote:
>>> Thanks Will for the speedy response, I apologize for not have read your
>>> response to the list earlier.  I agree with you regarding this and it's
>>> counter-intuitive to have the Cookie removed from the http_header buffer.
>>>
>>> -evilghost
>>>
>>> Will Metcalf wrote:
>>>> That because the cookie isn't included in the normalized header
>>>> buffer, you can only get to via http_cookie modifer.  I know it
>>>> doesn't make any sense to me either.  I sent the following e-mail to
>>>> snort-devel on 3/17.
>>>>
>>>> "This is just my 2 cents, but I don't think the following behavior
>>>> makes sense.  I think that even though you are providing http_cookie
>>>> as a separate buffer to match on it should still be included in the
>>>> http_header buffer, well because it is part of the headers.
>>>>
>>>> You can still match using the raw buffer but then you have to add
>>>> additional checks to try and differentiate between the headers and the
>>>> body which is why I'm guessing these modifiers were created in the
>>>> first place.  I realize that in most cases header order doesn't matter
>>>> but there may be instances where you can fingerprint a piece of
>>>> automated code (read malware) using a rule similar to sid 69 below.
>>>>
>>>> Regards,
>>>>
>>>> Will"
>>>>
>>>> # this matches but I loose the performance/accuracy benefit of only
>>>> matching within the buffer containing http_headers.
>>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>>> content:"Cookie|3A|
>>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>>> 0a|Content-Type|3A| application"; classtype:bad-unknown; sid:68;
>>>> rev:1;)
>>>>
>>>> # this fails to match as the cookie is not part of the http_header
>>>> buffer but is part of the real http headers.
>>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>>> content:"Cookie|3A|
>>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>>> 0a|Content-Type|3A| application"; http_header; classtype:bad-unknown;
>>>> sid:69; rev:1;)
>>>>
>>>>
>>>>
>>>> On Thu, Apr 1, 2010 at 9:22 AM, evilghost at ...3397...
>>>> <evilghost at ...3397...> wrote:
>>>>
>>>>> Hello, I am running Snort 2.8.5.3 and it appears that either
>>>>> http_header; is not working correctly, does not work with a relative
>>>>> keyword, or I do not understand http_header; correctly.  I am attempting
>>>>> to constrain a content match to the http_header for performance reasons.
>>>>>
>>>>> Note, no need to recommend isdataat, I know there is data within 1024
>>>>> bytes past the previous content match.
>>>>>
>>>>> Does NOT work:
>>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>>> nocase; http_header; content:"ieatbugs="; within:1024;
>>>>>
>>>>> Does work:
>>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>>> nocase; content:"ieatbugs="; within:1024;
>>>>>
>>>>> Comments/insight appreciated.
>>>>>
>>>>> -evilghost
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> ----- Download Intel® Parallel Studio Eval
>>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>>> proactively, and fine-tune applications for parallel performance.
>>>>> See why Intel Parallel Studio got high marks during beta.
>>>>> http://p.sf.net/sfu/intel-sw-dev
>>>>> _______________________________________________
>>>>> Snort-sigs mailing list
>>>>> Snort-sigs at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>
>>>>>
>>>
>>> ---------------------------------------------------------------------------
>>> --- Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>
>> ----------------------------------------------------------------------------
>> -- Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list