[Snort-sigs] http_client_body, distance and ignoring requirement for content match?

Eoin Miller eoin.miller at ...3415...
Tue Aug 10 16:47:16 EDT 2010


  Why in the world would the following signature match against the below 
POST?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO 
Exploit Kit - request for Java exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|j"; distance:32; http_client_body; 
classtype:bad-unknown; sid:5600100; rev:2;)

POST 
/earth-expandable-substrate-pack-p-1903.html?action=add_product&currency=USD&osCsid=uhlf66l9csn4gkpvj9kq016ht2 
HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, 
application/x-ms-application, application/x-ms-xbap, 
application/vnd.ms-xpsdocument, application/xaml+xml, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/msword, application/x-shockwave-flash, */*
Referer: 
http://www.mopsdirect.us/earth-expandable-substrate-pack-p-1903.html?currency=USD
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; 
Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 
3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.mopsdirect.us
Content-Length: 26
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: osCsid=uhlf66l9csn4gkpvj9kq016ht2

products_id=1903&x=45&y=13


This should require "id=" and then "|25 32 36|j" to be 32 bytes or more 
away within the http_client_body. However it isn't possible for this to 
happen since there is only 14 bytes of data within the http_client_body 
after the "id=", it should not be possible to match. I have other 
signatures that are NOT firing on this packet but are nearly identical:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java and PDF exploits"; 
flow:established,to_server; content:"POST"; http_method; content:"id="; 
http_client_body; content:"|25 32 36|jp"; distance:32; http_client_body; 
classtype:bad-unknown; sid:5600101; rev:2;)


It is very puzzling that one would fire and not the other... Snort can't 
be ignoring the content match for four vs five bytes for some reason, 
could it? ("|25 32 36|jp" vs "|25 32 36|j")

-- Eoin





More information about the Snort-sigs mailing list