[Snort-sigs] Have I lost my mind?

Todd Wease twease at ...435...
Wed Jan 13 16:19:23 EST 2010


On 01/13/2010 04:13 PM, David.R.Wharton at ...3400... wrote:
> According to the snort manual you do.
>
> -David Wharton
>    

Looks like the snort manual needs updating.  You "can" escape it, but 
you don't have to.  Thanks for pointing this out.

>
>
> From:
> Todd Wease<twease at ...435...>
> To:
> Paul Schmehl<pschmehl_lists at ...3425...>
> Cc:
> Snort Sigs<snort-sigs at lists.sourceforge.net>
> Date:
> 01/13/2010 03:11 PM
> Subject:
> Re: [Snort-sigs] Have I lost my mind?
>
>
>
> You do not need to escape a colon in a content.
>
>
> On 01/13/2010 02:48 PM, Paul Schmehl wrote:
>    
>> I always run snort -T -c /blah/foo/snort.conf after writing a new rule
>>      
> or
>    
>> altering an existing rule.  Snort was running happily along without a
>>      
> complaint
>    
>> with the colons not escaped.  (It also doesn't complain when they *are*
>> escaped, but that would be expected behavior.)
>>
>> --On Wednesday, January 13, 2010 12:24:07 -0600 Joel Esler
>> <jesler at ...435...>   wrote:
>>
>>
>>      
>>> Did you run Snort in -T and see if it chokes on it?
>>>
>>>
>>> J
>>>
>>>
>>> On Wed, Jan 13, 2010 at 1:02 PM, Paul Schmehl<pschmehl_lists at ...3425...>
>>> wrote:
>>>
>>> Doh.  Wonder why snort didn't choke on that and throw an error?
>>>
>>>
>>>
>>>
>>> --On Wednesday, January 13, 2010 11:13:03 -0600 Joel Esler
>>> <jesler at ...435...>   wrote:
>>>
>>>
>>>
>>> You didn't escape the colon in "X-Powered-By:" ?
>>>
>>> At first glance.
>>>
>>> J
>>>
>>> On Jan 13, 2010, at 11:29 AM, Paul Schmehl wrote:
>>>
>>>
>>> I wrote a rule to see what a certain host was up to:
>>>
>>> alert tcp 95.211.27.211 any ->   $HOME_NET any (msg:"Up to no good?";
>>> classtype:web-application-activity; sid:1000174; re
>>> v:1;)
>>>
>>> That produced (among others) this packet:
>>>
>>> 000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200
>>>        
> OK.
>    
>>> 010 : 0A 53 65 72 76 65 72 3A 20 67 77 73 0D 0A 44 61   .Server:
>>>        
> gws..Da
>    
>>> 020 : 74 65 3A 20 54 75 65 2C 20 31 32 20 4A 61 6E 20   te: Tue, 12 Jan
>>> 030 : 32 30 31 30 20 30 36 3A 34 35 3A 30 38 20 47 4D   2010 06:45:08
>>>        
> GM
>    
>>> 040 : 54 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A T..Content-Type:
>>> 050 : 20 74 65 78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 6E text/html..Conn
>>> 060 : 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 58   ection:
>>>        
> close..X
>    
>>> 070 : 2D 50 6F 77 65 72 65 64 2D 42 79 3A 20 50 48 50   -Powered-By:
>>>        
> PHP
>    
>>> 080 : 2F 35 2E 32 2E 36 2D 31 2B 6C 65 6E 6E 79 34 0D /5.2.6-1+lenny4.
>>> 090 : 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length:
>>> 0a0 : 20 31 32 30 0D 0A 0D 0A 33 43 33 45 37 41 36 45 120....3C3E7A6E
>>> 0b0 : 36 38 32 35 37 30 36 32 37 41 37 41 36 33 36 34 682570627A7A6364
>>> 0c0 : 36 32 33 30 32 43 33 45 33 45 32 31 33 30 33 33 62302C3E3E213033
>>> 0d0 : 37 31 37 42 37 35 37 38 37 43 37 30 37 34 37 43 717B75787C70747C
>>> 0e0 : 32 31 33 46 36 42 36 42 34 36 30 43 31 41 30 31 213F6B6B460C1A01
>>> 0f0 : 31 42 31 42 32 43 31 42 35 30 34 34 34 36 34 46 1B1B2C1B5044464F
>>> 100 : 34 44 35 39 34 46 31 31 33 41 30 44 31 44 34 42 4D594F113A0D1D4B
>>> 110 : 35 39 35 39 35 32 35 36 34 43 35 38 30 34 33 31 595952564C580431
>>>
>>> Source address is 95.211.27.211.  Source port is 80.
>>>
>>> So I wrote this rule:
>>>
>>> alert tcp $EXTERNAL_NET 80 ->   $HOME_NET any (msg:"Bredolab server
>>>        
> ack";
>    
>>> flow:from_server,established; content:"Server: gws";
>>>        
> content:"X-Powered-By: P
>    
>>> HP"; content:"+lenny4"; classtype:trojan-activity; sid:1000172; rev:1;)
>>>
>>> But it never triggered (even though the first rule continues to).  So I
>>> altered it thus:
>>>
>>> alert tcp $EXTERNAL_NET 80 ->   $HOME_NET any (msg:"Bredolab server
>>>        
> ack";
>    
>>> flow:from_server,established; uricontent:"Server: gws";
>>> uricontent:"X-Powered-By: P
>>> HP"; uricontent:"+lenny4"; classtype:trojan-activity; sid:1000172;
>>>        
> rev:2;)
>    
>>> But it still didn't trigger, so I altered it again:
>>>
>>> alert tcp $EXTERNAL_NET 80 ->   $HOME_NET any (msg:"Bredolab server
>>>        
> ack";
>    
>>> uricontent:"Server: gws"; uricontent:"X-Powered-By: PHP";
>>> uricontent:"+lenny4"; classtype:trojan-activity; sid:1000172; rev:3;)
>>>
>>> But it still didn't trigger, so I altered it yet again:
>>>
>>> alert tcp $EXTERNAL_NET 80 ->   $HOME_NET any (msg:"Bredolab server
>>>        
> ack";
>    
>>> content:"Server: gws"; content:"X-Powered-By: PHP"; content:"+lenny4";
>>> classtype:trojan-activity; sid:1000172; rev:4;)
>>>
>>> It still doesn't trigger.
>>>
>>> Someone please enlighten me.  What am I missing?
>>>
>>> --
>>> Paul Schmehl, Senior Infosec Analyst
>>> As if it wasn't already obvious, my opinions
>>> are my own and not those of my employer.
>>> *******************************************
>>> "It is as useless to argue with those who have
>>> renounced the use of reason as to administer
>>> medication to the dead." Thomas Jefferson
>>>
>>>
>>>
>>>        
> ----------------------------------------------------------------------------
>    
>>> -- This SF.Net email is sponsored by the Verizon Developer Community
>>> Take advantage of Verizon's best-in-class app development support
>>> A streamlined, 14 day to market process makes app distribution fast and
>>>        
> easy
>    
>>> Join now and get one step closer to millions of Verizon customers
>>> http://p.sf.net/sfu/verizon-dev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Paul Schmehl, Senior Infosec Analyst
>>> As if it wasn't already obvious, my opinions
>>> are my own and not those of my employer.
>>> *******************************************
>>> "It is as useless to argue with those who have
>>> renounced the use of reason as to administer
>>> medication to the dead." Thomas Jefferson
>>>
>>>        
>>
>>
>>      
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and
> easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>    





More information about the Snort-sigs mailing list