[Snort-sigs] Looking for HTTP POST's over 1mb in size

Matt Olney molney at ...435...
Thu Apr 8 22:54:38 EDT 2010


Actually (don't ask me why)...they both work:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon";
pcre:"/User-Agent:/H"; classtype: attempted-admin; sid: 33333;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon
escaped"; pcre:"/User-Agent\:/H"; classtype: attempted-admin; sid: 33334;)

Alerts:
1:33333:0       PCRE with colon
     Alerts: 2
1:33334:0       PCRE with colon escaped
     Alerts: 2

[HTTP_HEADER BUFFER DATA (0x8ac90a0)]:
55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65    User-Agent: CBNe
74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20    tDataSet..Host:
73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69    segment.pw08.ici
62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f    ba.com..Cache-Co
6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32    ntrol: max-age=2
35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20    59200..Via: 1.0
50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f    PROXY..Connectio
6e 3a 20 63 6c 6f 73 65 0d 0a 0d                   n: close...

Matt
(Who has been stupid busy, but is still listening)

2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...>

> I disagree.  Unless snort is not PCRE compatible (which it seems they
> should be based on the acronym), you don't have to escape the colon in
> this context for a pcre check.
>
> Cheers,
>
> -L0rd Ch0de1m0rt
>
> On Thu, Apr 8, 2010 at 7:46 PM, 김무성 <kimms at ...3282...> wrote:
> > Missed escape : \
> >
> > You have to write this
> >
> > pcre:"/^Content-Length\:\s*[0-9]{7,}$/i";
> > or
> > pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i";
> >
> > -----Original Message-----
> > From: evilghost at ...3397... [mailto:evilghost at ...3397...]
> > Sent: Friday, April 09, 2010 2:01 AM
> > To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN
> > Cc: SNORT-SIGS at ...3473...
> > Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size
> >
> > Glad to help Josh, also drop the '/s', I meant to write the PCRE as:
> >
> > pcre:"/^Content-Length:\s*[0-9]{7,}$/i";
> >
> >
> > -evilghost
> >
> > JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
> >> evilghost-
> >> Yeah my PCRE skills are pretty weak.  I'll try your change and let you
> know how it works out (I also change the source from "any" to $HOME_NET as
> well)
> >> Thanks!!
> >> Josh
> >>
> >> ----- Original Message -----
> >> From: Evilghost at ...3475... <evilghost at ...3397...>
> >> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN)
> >> Cc: SNORT-SIGS at ...3473...
> >> At:  4/08 12:49:17
> >>
> >> Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR match since
> >> it'll match on on 101, 102, 103, etc?
> >>
> >> What about:
> >>
> >> pcre:"/^Content-Length:\s*[0-9]{7,}$/si";
> >>
> >> It'll still match against 1,000,000 bytes which is close enough to 1Mb
> for me.  Also, note sure why you need the other PCRE flags.
> >>
> >> -evilghost
> >>
> >>
> >>
> >>
> >> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
> >>
> >>> So I wrote a signature to detect HTTP POST's over 1mb in size, but I
> think that my pcre logic is flawed.  Can someone take a look and let me know
> if this is OK?  (It does work, but will trigger on file sizes < 1mb based on
> the Content-Length: header)
> >>> (We have some stuff in there to ignore posts to certain sites due to
> too many false positives)
> >>> The rule is:
> >>> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server;
> priority:1; content:"POST"; nocase; http_method; content:!"Shockwave";
> nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\:
> live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase;
> http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\:
> webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com";
> nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase;
> http_header; content:"multipart/"; nocase; content:"Content-Length\:";
> nocase; http_header;
> pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix";
> pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr";
> classtype:policy-violation; sid:1000060; gid:1; rev:4; )
> >>>
> ------------------------------------------------------------------------------
> >>> Download Intel® Parallel Studio Eval
> >>> Try the new software tools for yourself. Speed compiling, find bugs
> >>> proactively, and fine-tune applications for parallel performance.
> >>> See why Intel Parallel Studio got high marks during beta.
> >>> http://p.sf.net/sfu/intel-sw-dev
> >>> _______________________________________________
> >>> Snort-sigs mailing list
> >>> Snort-sigs at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>>
> >>>
> >> >
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100408/bbc3e45d/attachment.html>


More information about the Snort-sigs mailing list