[Snort-sigs] Looking for HTTP POST's over 1mb in size

evilghost at ...3397... evilghost at ...3397...
Thu Apr 8 23:16:37 EDT 2010


Well, according to the manual at least, we (someone) pointed it out as a
bug in the manual. I can't remember the thread.

-evilghost

Matt Olney wrote:
> Nope:
>
> Alerts:
> 1:33335:0 Content with colon Alerts: 2
> 1:33336:0 Content with |3A| Alerts: 2
>
>
>
> 2010/4/8 evilghost at ...3397... <mailto:evilghost at ...3397...>
> <evilghost at ...3397... <mailto:evilghost at ...3397...>>
>
>     Colon doesn't need to be escaped in a PCRE, even in a Snort PCRE. It
>     does in a content match. :)
>
>     -evilghost
>
>     Matt Olney wrote:
>     > Actually (don't ask me why)...they both work:
>     >
>     > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with
>     > colon"; pcre:"/User-Agent:/H"; classtype: attempted-admin; sid:
>     33333;)
>     > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with
>     > colon escaped"; pcre:"/User-Agent\:/H"; classtype: attempted-admin;
>     > sid: 33334;)
>     >
>     > Alerts:
>     > 1:33333:0 PCRE with colon Alerts: 2
>     > 1:33334:0 PCRE with colon escaped Alerts: 2
>     >
>     > [HTTP_HEADER BUFFER DATA (0x8ac90a0)]:
>     > 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65 User-Agent: CBNe
>     > 74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20 tDataSet..Host:
>     > 73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69 segment.pw08.ici
>     > 62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f ba.com..Cache-Co
>     > 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32 ntrol: max-age=2
>     > 35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20 59200..Via: 1.0
>     > 50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f PROXY..Connectio
>     > 6e 3a 20 63 6c 6f 73 65 0d 0a 0d n: close...
>     >
>     > Matt
>     > (Who has been stupid busy, but is still listening)
>     >
>     > 2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...
>     <mailto:l0rdch0de1m0rt at ...2420...>
>     > <mailto:l0rdch0de1m0rt at ...2420... <mailto:l0rdch0de1m0rt at ...2420...>>>
>     >
>     > I disagree. Unless snort is not PCRE compatible (which it seems they
>     > should be based on the acronym), you don't have to escape the
>     colon in
>     > this context for a pcre check.
>     >
>     > Cheers,
>     >
>     > -L0rd Ch0de1m0rt
>     >
>     > On Thu, Apr 8, 2010 at 7:46 PM, 김무성 <kimms at ...3282...
>     <mailto:kimms at ...3282...>
>     > <mailto:kimms at ...3282... <mailto:kimms at ...3282...>>> wrote:
>     > > Missed escape : \
>     > >
>     > > You have to write this
>     > >
>     > > pcre:"/^Content-Length\:\s*[0-9]{7,}$/i";
>     > > or
>     > > pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i";
>     > >
>     > > -----Original Message-----
>     > > From: evilghost at ...3397...
>     <mailto:evilghost at ...3397...> <mailto:evilghost at ...3397...
>     <mailto:evilghost at ...3397...>>
>     > [mailto:evilghost at ...3397...
>     <mailto:evilghost at ...3397...> <mailto:evilghost at ...3397...
>     <mailto:evilghost at ...3397...>>]
>     > > Sent: Friday, April 09, 2010 2:01 AM
>     > > To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN
>     > > Cc: SNORT-SIGS at ...3473...
>     <mailto:SNORT-SIGS at ...3473...>
>     > <mailto:SNORT-SIGS at ...3473...
>     <mailto:SNORT-SIGS at ...3473...>>
>     > > Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size
>     > >
>     > > Glad to help Josh, also drop the '/s', I meant to write the
>     PCRE as:
>     > >
>     > > pcre:"/^Content-Length:\s*[0-9]{7,}$/i";
>     > >
>     > >
>     > > -evilghost
>     > >
>     > > JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
>     > >> evilghost-
>     > >> Yeah my PCRE skills are pretty weak. I'll try your change and
>     > let you know how it works out (I also change the source from "any"
>     > to $HOME_NET as well)
>     > >> Thanks!!
>     > >> Josh
>     > >>
>     > >> ----- Original Message -----
>     > >> From: Evilghost at ...3475... <evilghost at ...3397...
>     <mailto:evilghost at ...3397...>
>     > <mailto:evilghost at ...3397... <mailto:evilghost at ...3397...>>>
>     > >> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN)
>     > >> Cc: SNORT-SIGS at ...3473...
>     <mailto:SNORT-SIGS at ...3473...>
>     > <mailto:SNORT-SIGS at ...3473...
>     <mailto:SNORT-SIGS at ...3473...>>
>     > >> At: 4/08 12:49:17
>     > >>
>     > >> Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR
>     > match since
>     > >> it'll match on on 101, 102, 103, etc?
>     > >>
>     > >> What about:
>     > >>
>     > >> pcre:"/^Content-Length:\s*[0-9]{7,}$/si";
>     > >>
>     > >> It'll still match against 1,000,000 bytes which is close enough
>     > to 1Mb for me. Also, note sure why you need the other PCRE flags.
>     > >>
>     > >> -evilghost
>     > >>
>     > >>
>     > >>
>     > >>
>     > >> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
>     > >>
>     > >>> So I wrote a signature to detect HTTP POST's over 1mb in size,
>     > but I think that my pcre logic is flawed. Can someone take a look
>     > and let me know if this is OK? (It does work, but will trigger on
>     > file sizes < 1mb based on the Content-Length: header)
>     > >>> (We have some stuff in there to ignore posts to certain sites
>     > due to too many false positives)
>     > >>> The rule is:
>     > >>> alert tcp any !20 -> $EXTERNAL_NET !25
>     > (flow:established,to_server; priority:1; content:"POST"; nocase;
>     > http_method; content:!"Shockwave"; nocase; http_header;
>     > content:!"x-flash-version"; nocase; content:!"Host\: live.com
>     <http://live.com>
>     > <http://live.com>"; nocase; http_header; content:!"Host\:
>     > mail.google.com <http://mail.google.com>
>     <http://mail.google.com>"; nocase; http_header;
>     > content:!"Host\: mail.yahoo.com <http://mail.yahoo.com>
>     <http://mail.yahoo.com>"; nocase;
>     > content:!"Host\: webmail.aol.com <http://webmail.aol.com>
>     <http://webmail.aol.com>";
>     > nocase; http_header; content:!"Host\: webmail.juno.com
>     <http://webmail.juno.com>
>     > <http://webmail.juno.com>"; nocase; http_header; content:!"Host\:
>     > webmailb.juno.com <http://webmailb.juno.com>
>     <http://webmailb.juno.com>"; nocase;
>     > http_header; content:"multipart/"; nocase;
>     > content:"Content-Length\:"; nocase; http_header;
>     > pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix";
>     > pcre:!"/^Host:\s.*[\.live.com <http://live.com>
>     <http://live.com>]$/smi";
>     > msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060;
>     > gid:1; rev:4; )
>     > >>>
>     >
>     ------------------------------------------------------------------------------
>     > >>> Download Intel® Parallel Studio Eval
>     > >>> Try the new software tools for yourself. Speed compiling, find
>     > bugs
>     > >>> proactively, and fine-tune applications for parallel
>     performance.
>     > >>> See why Intel Parallel Studio got high marks during beta.
>     > >>> http://p.sf.net/sfu/intel-sw-dev
>     > >>> _______________________________________________
>     > >>> Snort-sigs mailing list
>     > >>> Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     > <mailto:Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>>
>     > >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>     > >>>
>     > >>>
>     > >> >
>     > >
>     > >
>     >
>     ------------------------------------------------------------------------------
>     > > Download Intel® Parallel Studio Eval
>     > > Try the new software tools for yourself. Speed compiling, find
>     bugs
>     > > proactively, and fine-tune applications for parallel performance.
>     > > See why Intel Parallel Studio got high marks during beta.
>     > > http://p.sf.net/sfu/intel-sw-dev
>     > > _______________________________________________
>     > > Snort-sigs mailing list
>     > > Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     > <mailto:Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>>
>     > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>     > >
>     > >
>     >
>     ------------------------------------------------------------------------------
>     > > Download Intel® Parallel Studio Eval
>     > > Try the new software tools for yourself. Speed compiling, find
>     bugs
>     > > proactively, and fine-tune applications for parallel performance.
>     > > See why Intel Parallel Studio got high marks during beta.
>     > > http://p.sf.net/sfu/intel-sw-dev
>     > > _______________________________________________
>     > > Snort-sigs mailing list
>     > > Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     > <mailto:Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>>
>     > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>     > >
>     >
>     >
>     ------------------------------------------------------------------------------
>     > Download Intel® Parallel Studio Eval
>     > Try the new software tools for yourself. Speed compiling, find bugs
>     > proactively, and fine-tune applications for parallel performance.
>     > See why Intel Parallel Studio got high marks during beta.
>     > http://p.sf.net/sfu/intel-sw-dev
>     > _______________________________________________
>     > Snort-sigs mailing list
>     > Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     > <mailto:Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>>
>     > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>     >
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     >
>     ------------------------------------------------------------------------------
>     > Download Intel® Parallel Studio Eval
>     > Try the new software tools for yourself. Speed compiling, find bugs
>     > proactively, and fine-tune applications for parallel performance.
>     > See why Intel Parallel Studio got high marks during beta.
>     > http://p.sf.net/sfu/intel-sw-dev
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Snort-sigs mailing list
>     > Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>     >
>
>




More information about the Snort-sigs mailing list