[Snort-sigs] http_client_body, distance and ignoring requirement for content match?

Paul Schmehl pschmehl_lists at ...3425...
Tue Aug 10 18:43:00 EDT 2010


--On Tuesday, August 10, 2010 20:47:16 +0000 Eoin Miller 
<eoin.miller at ...3415...> wrote:

>   Why in the world would the following signature match against the below
> POST?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
> Exploit Kit - request for Java exploit"; flow:established,to_server;
> content:"POST"; http_method; content:"id="; http_client_body;
> content:"|25 32 36|j"; distance:32; http_client_body;
> classtype:bad-unknown; sid:5600100; rev:2;)
>
> POST
> /earth-expandable-substrate-pack-p-1903.html?action=add_product&currency=USD&
> osCsid=uhlf66l9csn4gkpvj9kq016ht2  HTTP/1.1

[snipped]

>
> This should require "id=" and then "|25 32 36|j" to be 32 bytes or more
> away within the http_client_body. However it isn't possible for this to
> happen since there is only 14 bytes of data within the http_client_body
> after the "id=", it should not be possible to match. I have other
> signatures that are NOT firing on this packet but are nearly identical:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY
> SEO Exploit Kit - request for Java and PDF exploits";
> flow:established,to_server; content:"POST"; http_method; content:"id=";
> http_client_body; content:"|25 32 36|jp"; distance:32; http_client_body;
> classtype:bad-unknown; sid:5600101; rev:2;)
>
>
> It is very puzzling that one would fire and not the other... Snort can't
> be ignoring the content match for four vs five bytes for some reason,
> could it? ("|25 32 36|jp" vs "|25 32 36|j")
>

Looks like it's matching on the "j".  Since there is no "jp", that rule doesn't 
match.

I can't explain why it's matching though, because it shouldn't match unless you 
see %26j.  Distance is in bytes, however, and each character takes two bytes. 
So there's more than 32 bytes.  In fact the "j" (6a) is right at the 32 byte 
location.

This is what the string looks like in ascii and then in hex:
id=uhlf66l9csn4gkpvj9kq016ht2
id= 75 68 6c 66 36 36 31 39 63 73 6e 34 67 6b 70 76 6a 39 6b 71 30 31 36 68 74 
32

Each character is represented by two bytes.  Total byte cound is 52, so you're 
well within your distance parameter.  If you really meant distance:32 
characters;, you should write distance:64;

It would be nice if you posted the hex from the detection.  Do you see 25 32 36 
6A anywhere in the hex?

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list