[Snort-sigs] HTTP Signature not triggering

Will Metcalf william.metcalf at ...2420...
Wed Apr 14 21:27:24 EDT 2010


\x3a is ":"  so you don't need it again...

Regards,

Will
pcre:"/^Content-Length:\x3a\s*[0-9]{7,}\r$/mi"

On Wed, Apr 14, 2010 at 8:21 PM, JOSH RIVEL, BLOOMBERG/ 731 LEXIN
<jrivel at ...3472...> wrote:
> OK so the signature now looks like this but is still not triggering:
>
> alert tcp $HOME_NET !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\x3a\s*[0-9]{7,}\r$/mi"; msg:"HTTP POST over 1mb - pcre only"; classtype:policy-violation; sid:1872316; gid:1; rev:3; )
>
> This is on a Sourcefire 3D3500 sensor with snort 2.8.5.
> Thanks, Josh
>
> ----- Original Message -----
> From: Josh Rivel <jrivel at ...3472...>
> To: william.metcalf at ...2420...
> Cc: snort-sigs at lists.sourceforge.net
> At:  4/14 17:51:56
>
> Will,
>
> Running pcretest with that pcre does work, but I will try your suggested PCRE and see if that fixes things.
>
> Thanks, Josh
>
> ---- Original Message ----
> From: Will Metcalf <william.metcalf at ...2420...>
> At: 4/14/2010 17:39
>
> hmmm that pcre doesn't look quite right... Does the sig fire if you
> remove it?  If it does Maybe try something like the following...
>
> pcre:"/^Content-Length\x3a\s*[0-9]{7,}\r$/Hmi"
>
> Regards,
>
> Will
>
> On Wed, Apr 14, 2010 at 4:20 PM, JOSH RIVEL, BLOOMBERG/ 731 LEXIN
> <jrivel at ...3472...> wrote:
>> Hello, so I have the following signature looking for HTTP posts of size > 1mb to any machines $EXTERNAL_NET, but despite my best efforts I can't get it to trigger.
>> alert tcp $HOME_NET !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*[0-9]{7,}$/i"; msg:"HTTP POST over 1mb - pcre only"; classtype:policy-violation; sid:1872316; gid:1; rev:1; )
>>
>> I uploaded a 2mb file to a website and the signature did not trigger.  Here are the snippets from tcpdump output on the sensor of the file being uploaded.
>>
>> POST /test/upload.php HTTP/1.1
>> Host: xx
>> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Referer: http://xx/xx
>> Content-Type: multipart/form-data; boundary=---------------------------1588529377280840353328422082
>> Content-Length: 2097381
>> Connection: Keep-Alive
>> -----------------------------1588529377280840353328422082
>> Content-Disposition: form-data; name="uploaded"; filename="2mb"
>> Content-Type: application/octet-stream
>>
>> That signature does not trigger, however this one does (which has bad PCRE in it to detect file sizes of > 1mb)  I also tried using stream_size:client,>=,1048576 in the signature with no luck.
>> (So here's the bad signature but it does trigger)
>> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content- Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:15; )
>>
>> Any thoughts? I'm wracking my brains trying to sort this one out...
>> Thanks, Josh
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list