[Snort-sigs] Looking for HTTP POST's over 1mb in size

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Thu Apr 8 22:20:01 EDT 2010


I disagree.  Unless snort is not PCRE compatible (which it seems they
should be based on the acronym), you don't have to escape the colon in
this context for a pcre check.

Cheers,

-L0rd Ch0de1m0rt

On Thu, Apr 8, 2010 at 7:46 PM, 김무성 <kimms at ...3282...> wrote:
> Missed escape : \
>
> You have to write this
>
> pcre:"/^Content-Length\:\s*[0-9]{7,}$/i";
> or
> pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i";
>
> -----Original Message-----
> From: evilghost at ...3397... [mailto:evilghost at ...3397...]
> Sent: Friday, April 09, 2010 2:01 AM
> To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN
> Cc: SNORT-SIGS at ...3473...
> Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size
>
> Glad to help Josh, also drop the '/s', I meant to write the PCRE as:
>
> pcre:"/^Content-Length:\s*[0-9]{7,}$/i";
>
>
> -evilghost
>
> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
>> evilghost-
>> Yeah my PCRE skills are pretty weak.  I'll try your change and let you know how it works out (I also change the source from "any" to $HOME_NET as well)
>> Thanks!!
>> Josh
>>
>> ----- Original Message -----
>> From: Evilghost at ...3475... <evilghost at ...3397...>
>> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN)
>> Cc: SNORT-SIGS at ...3473...
>> At:  4/08 12:49:17
>>
>> Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR match since
>> it'll match on on 101, 102, 103, etc?
>>
>> What about:
>>
>> pcre:"/^Content-Length:\s*[0-9]{7,}$/si";
>>
>> It'll still match against 1,000,000 bytes which is close enough to 1Mb for me.  Also, note sure why you need the other PCRE flags.
>>
>> -evilghost
>>
>>
>>
>>
>> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
>>
>>> So I wrote a signature to detect HTTP POST's over 1mb in size, but I think that my pcre logic is flawed.  Can someone take a look and let me know if this is OK?  (It does work, but will trigger on file sizes < 1mb based on the Content-Length: header)
>>> (We have some stuff in there to ignore posts to certain sites due to too many false positives)
>>> The rule is:
>>> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase; http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\: webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com"; nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase; http_header; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:4; )
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>> >
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list