[Snort-sigs] issues with 2011033 - ET SCAN HTTP HEAD invalid method case

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Mon Jan 31 16:37:33 EST 2011


Hello snorters.  I am seeing alerts from this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
HTTP HEAD invalid method case"; flow:established,to_server;
content:"head"; http_method; nocase; content:!"HEAD"; http_method;
classtype:bad-unknown;
reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
reference:url,doc.emergingthreats.net/2011033;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Invalid_Method;
sid:2011033; rev:7;)

But I go back and look at the logged packed by snort and only see this:

-----

08:53:54.207874 IP s.r.f.r.46691 > s.u.x.s.80: R
2457731972:2457733232(1260) ack 1077321784 win 32768
E...c........QQS...^M...P.~.. at ...3558... 0px 5px 5px; border-right:
2px dotted #cbcbcb; color: #558800;}
#globalMiscContent {float: left; margin-top: 3px}
#globalSearch {float: left; width:225px; height: 35px; margin: 5px 0px
5px 10px; color: #558800 /*#568900*/}
#globalSearchContent {float: left; margin-top: 7px}

#pageBrandingLarge {float: left; width: 671px; height:205px;
background-color:#e2e2e2; border-top: 1px solid #ffffff;}
#pageBrandingSmall {float: left; width: 671px; height:33px;
background-color:#e2e2e2; border-top: 1px solid #ffffff;}
#pageLogin {float: left; width: 223px; height:239px;
background-color:#f2f2f2; border-top: 1px solid #ffffff;border-right:
1px solid #ffffff;}

#loginHeader {height: 28px; background-color: #88bb00; padding-top: 8px;}
.loginHeaderText {font-size: 16px; color: #fff; font-weight: bold;
margin-left: 15px;}

#loginContent { font-size: 12px; color: #444;  margin: 10px 15px;}
#loginContent a:link,#loginContent a:visited {color:#558800;
font-size: 11px; font-weight: normal;}
#loginContent a:hover,#loginContent a:active {color:#558800;
font-size: 11px; text-decoration: underline;}
.loginItem {background:url(img/arrowGray_Small.gif) no-repeat left;
text-indent: 7px; color:#558800; margin: 4px 0px 3px 0px; }

#pageBrandingTop {he

-----

I am on the latest snort version, 2.9.0.3 and I compiled w/ gzip
support and I have the http_inspect preprocessor enabled.  From
snort.conf:

-----
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: \
    server default \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    chunk_length 500000 \
    flow_depth 1460 \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    non_strict \
    oversize_dir_length 500 \
    ports { 80 8080 8180 3128 } \
    u_encode yes \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    webroot no \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip
-----

Looking at the snort rule, it looks sound but it appears the
appropriate HTTP buffers (e.g. http_method) are not getting populated
correctly.  Is this the case?  I know the HTTP preprocessor has had
some recent changes and has had *a lot* of issues in the past so I'm
curious if this is a known bug and being worked on.

I am copying the EmergingThreats list too in case others are having
problems and can help out.

Thanks.

-L0rd C.




More information about the Snort-sigs mailing list