[Snort-sigs] Looking for HTTP POST's over 1mb in size

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Thu Apr 8 12:50:32 EDT 2010


Probably heavy CPU consume this rule but based on that I'd suggest:

1-) pcre:"/\x0d\x0aContent-Length\: \d{6,12}\x0d\x0a/";

2- ) use tag stream_size

I limited 6,12 the size since I think its more than enough .

Hope it helps

Regards,

Rodrigo Montoro

On Thu, Apr 8, 2010 at 1:24 PM, JOSH RIVEL, BLOOMBERG/ 731 LEXIN
<jrivel at ...3472...> wrote:
> So I wrote a signature to detect HTTP POST's over 1mb in size, but I think that my pcre logic is flawed.  Can someone take a look and let me know if this is OK?  (It does work, but will trigger on file sizes < 1mb based on the Content-Length: header)
> (We have some stuff in there to ignore posts to certain sites due to too many false positives)
> The rule is:
> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase; http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\: webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com"; nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase; http_header; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:4; )
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker




More information about the Snort-sigs mailing list