[Snort-sigs] Looking for HTTP POST's over 1mb in size

김무성 kimms at ...3282...
Thu Apr 8 19:46:43 EDT 2010


Missed escape : \

You have to write this

pcre:"/^Content-Length\:\s*[0-9]{7,}$/i";
or
pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i";

-----Original Message-----
From: evilghost at ...3397... [mailto:evilghost at ...3397...] 
Sent: Friday, April 09, 2010 2:01 AM
To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN
Cc: SNORT-SIGS at ...3473...
Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size

Glad to help Josh, also drop the '/s', I meant to write the PCRE as:

pcre:"/^Content-Length:\s*[0-9]{7,}$/i";


-evilghost

JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
> evilghost-
> Yeah my PCRE skills are pretty weak.  I'll try your change and let you know how it works out (I also change the source from "any" to $HOME_NET as well)
> Thanks!!
> Josh
>
> ----- Original Message -----
> From: Evilghost at ...3475... <evilghost at ...3397...>
> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN)
> Cc: SNORT-SIGS at ...3473...
> At:  4/08 12:49:17
>
> Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR match since 
> it'll match on on 101, 102, 103, etc?
>
> What about:
>
> pcre:"/^Content-Length:\s*[0-9]{7,}$/si";
>
> It'll still match against 1,000,000 bytes which is close enough to 1Mb for me.  Also, note sure why you need the other PCRE flags.
>
> -evilghost
>
>
>
>
> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
>   
>> So I wrote a signature to detect HTTP POST's over 1mb in size, but I think that my pcre logic is flawed.  Can someone take a look and let me know if this is OK?  (It does work, but will trigger on file sizes < 1mb based on the Content-Length: header)
>> (We have some stuff in there to ignore posts to certain sites due to too many false positives)
>> The rule is:
>> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase; http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\: webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com"; nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase; http_header; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:4; )
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>     
> >

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list