[Snort-sigs] HTTP Signature not triggering

JOSH RIVEL, BLOOMBERG/ 731 LEXIN jrivel at ...3472...
Wed Apr 14 17:20:09 EDT 2010


Hello, so I have the following signature looking for HTTP posts of size > 1mb to any machines $EXTERNAL_NET, but despite my best efforts I can't get it to trigger.
alert tcp $HOME_NET !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*[0-9]{7,}$/i"; msg:"HTTP POST over 1mb - pcre only"; classtype:policy-violation; sid:1872316; gid:1; rev:1; )

I uploaded a 2mb file to a website and the signature did not trigger.  Here are the snippets from tcpdump output on the sensor of the file being uploaded.

POST /test/upload.php HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: http://xx/xx
Content-Type: multipart/form-data; boundary=---------------------------1588529377280840353328422082
Content-Length: 2097381
Connection: Keep-Alive
-----------------------------1588529377280840353328422082
Content-Disposition: form-data; name="uploaded"; filename="2mb"
Content-Type: application/octet-stream

That signature does not trigger, however this one does (which has bad PCRE in it to detect file sizes of > 1mb)  I also tried using stream_size:client,>=,1048576 in the signature with no luck.
(So here's the bad signature but it does trigger)
alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content- Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:15; )

Any thoughts? I'm wracking my brains trying to sort this one out...
Thanks, Josh


More information about the Snort-sigs mailing list