[Snort-sigs] http_header issues, Snort 2.8.5.3

Paul Schmehl pschmehl_lists at ...3425...
Thu Apr 1 13:02:20 EDT 2010


Well, no, he's not.  "H" is not pronounced, when you speak the letter, as a 
hard consonant, as in hat, heat, help, header, but as a soft vowel, as in ache, 
eight, etc.  Therefore the "an" is correct in preceding http because you do not 
pronounce it "h-a-e-ch" but "a-e-ch".  In otherwords, when you speak the letter 
"h", the "h" consonant sound is silent.

They used to teach these things in American schools, but it's been a long time 
since grammar, spelling and pronunciation mattered to educators.

--On Thursday, April 01, 2010 11:16:23 -0430 Jason Brvenik 
<jasonb at ...435...> wrote:

> Being pedantic would be citing the proper use from a literary guide,
> not an RFC or two. It is an ArrEffSee after all.
>
> Before English was Americanized, the h was almost always silent and
> thus the rule of using an before an H was steadfast. L0rd is correct
> on modern usage and it tweaks me as much as the loss of an and or or
> following a comma in a series.
>
> The usage is neither here nor there I suppose. I would like to see the
> grammar king (king is really a substitution) chime in.
>
> On Thu, Apr 1, 2010 at 10:53 AM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
>> I hate to be pedantic, looks like RFC 2616, RFC 2396, etc use "a HTTP"
>> such as "... MUST NOT establish a HTTP ...", "... engine on a HTTP ..", etc.
>>
>> Who knows.  I would like some insight into why the cookies were excluded
>> from http_header aside from the obvious redundancy regarding the
>> precision in http_cookie;
>>
>> -evilghost
>>
>> Jason Brvenik wrote:
>>> It does seem odd that the cookie is not in the headers but I'm sure
>>> there is a reason that the choice was made.
>>>
>>> Dunno on the "a" VS "an" thing. By my read, the "H" is pronounced and
>>> therefore the use of "an" is appropriate.
>>>
>>> On Thu, Apr 1, 2010 at 10:58 AM, L0rd Ch0de1m0rt
>>> <l0rdch0de1m0rt at ...2420...> wrote:
>>>
>>>> Mike,
>>>>
>>>> Since you seem to be good at pointing out errors in the snort manual,
>>>> you may also want to note that the use of "an HTTP" is rampant
>>>> throughout it.  Might I suggest a little Find & Replace to the manual
>>>> maintainer(s)?   :)
>>>>
>>>> Cheers,
>>>>
>>>> -L0rd Ch0de1m0rt
>>>>
>>>> On 4/1/10, Mike Cox <mike.cox52 at ...2420...> wrote:
>>>>
>>>>> Agreed, I'm shocked that the http_header buffer doesn't include the
>>>>> Cookie header.  It doesn't make sense.  According to the manual, "The
>>>>> http header keyword is a content modifier that restricts the search to
>>>>> the extracted Header fields of an HTTP client
>>>>> request." (as an aside, note the incorrect use of 'an' instead of 'a')
>>>>>  Why is the Cookie header a second class citizen in the HTTP headers
>>>>> world?  I understand having a separate http_cookie buffer but it
>>>>> doesn't mean Cookies are not headers anymore....
>>>>>
>>>>> -Mike Cox
>>>>>
>>>>> On 4/1/10, evilghost at ...3397... <evilghost at ...3397...> wrote:
>>>>>
>>>>>> Thanks Will for the speedy response, I apologize for not have read your
>>>>>> response to the list earlier.  I agree with you regarding this and it's
>>>>>> counter-intuitive to have the Cookie removed from the http_header buffer.
>>>>>>
>>>>>> -evilghost
>>>>>>
>>>>>> Will Metcalf wrote:
>>>>>>
>>>>>>> That because the cookie isn't included in the normalized header
>>>>>>> buffer, you can only get to via http_cookie modifer.  I know it
>>>>>>> doesn't make any sense to me either.  I sent the following e-mail to
>>>>>>> snort-devel on 3/17.
>>>>>>>
>>>>>>> "This is just my 2 cents, but I don't think the following behavior
>>>>>>> makes sense.  I think that even though you are providing http_cookie
>>>>>>> as a separate buffer to match on it should still be included in the
>>>>>>> http_header buffer, well because it is part of the headers.
>>>>>>>
>>>>>>> You can still match using the raw buffer but then you have to add
>>>>>>> additional checks to try and differentiate between the headers and the
>>>>>>> body which is why I'm guessing these modifiers were created in the
>>>>>>> first place.  I realize that in most cases header order doesn't matter
>>>>>>> but there may be instances where you can fingerprint a piece of
>>>>>>> automated code (read malware) using a rule similar to sid 69 below.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Will"
>>>>>>>
>>>>>>> # this matches but I loose the performance/accuracy benefit of only
>>>>>>> matching within the buffer containing http_headers.
>>>>>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>>>>>> content:"Cookie|3A|
>>>>>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>>>>>> 0a|Content-Type|3A| application"; classtype:bad-unknown; sid:68;
>>>>>>> rev:1;)
>>>>>>>
>>>>>>> # this fails to match as the cookie is not part of the http_header
>>>>>>> buffer but is part of the real http headers.
>>>>>>> alert tcp any any -> any any (msg:"http_cookie + ";
>>>>>>> content:"Cookie|3A|
>>>>>>> e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703|0d
>>>>>>> 0a|Content-Type|3A| application"; http_header; classtype:bad-unknown;
>>>>>>> sid:69; rev:1;)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 1, 2010 at 9:22 AM, evilghost at ...3397...
>>>>>>> <evilghost at ...3397...> wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hello, I am running Snort 2.8.5.3 and it appears that either
>>>>>>>> http_header; is not working correctly, does not work with a relative
>>>>>>>> keyword, or I do not understand http_header; correctly.  I am
>>>>>>>> attempting to constrain a content match to the http_header for
>>>>>>>> performance reasons.
>>>>>>>>
>>>>>>>> Note, no need to recommend isdataat, I know there is data within 1024
>>>>>>>> bytes past the previous content match.
>>>>>>>>
>>>>>>>> Does NOT work:
>>>>>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>>>>>> nocase; http_header; content:"ieatbugs="; within:1024;
>>>>>>>>
>>>>>>>> Does work:
>>>>>>>>    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: ";
>>>>>>>> nocase; content:"ieatbugs="; within:1024;
>>>>>>>>
>>>>>>>> Comments/insight appreciated.
>>>>>>>>
>>>>>>>> -evilghost
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------------
>>>>>>>> -------- Download Intel® Parallel Studio Eval
>>>>>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>>>>>> proactively, and fine-tune applications for parallel performance.
>>>>>>>> See why Intel Parallel Studio got high marks during beta.
>>>>>>>> http://p.sf.net/sfu/intel-sw-dev
>>>>>>>> _______________________________________________
>>>>>>>> Snort-sigs mailing list
>>>>>>>> Snort-sigs at lists.sourceforge.net
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>> ------ Download Intel® Parallel Studio Eval
>>>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>>>> proactively, and fine-tune applications for parallel performance.
>>>>>> See why Intel Parallel Studio got high marks during beta.
>>>>>> http://p.sf.net/sfu/intel-sw-dev
>>>>>> _______________________________________________
>>>>>> Snort-sigs mailing list
>>>>>> Snort-sigs at lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>>
>>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> ----- Download Intel® Parallel Studio Eval
>>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>>> proactively, and fine-tune applications for parallel performance.
>>>>> See why Intel Parallel Studio got high marks during beta.
>>>>> http://p.sf.net/sfu/intel-sw-dev
>>>>> _______________________________________________
>>>>> Snort-sigs mailing list
>>>>> Snort-sigs at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>
>>>>>
>>>> --------------------------------------------------------------------------
>>>> ---- Download Intel® Parallel Studio Eval
>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>> proactively, and fine-tune applications for parallel performance.
>>>> See why Intel Parallel Studio got high marks during beta.
>>>> http://p.sf.net/sfu/intel-sw-dev
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------------
>>> --- Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list