[Snort-sigs] [Emerging-Sigs] issues with 2011033 - ET SCAN HTTP HEAD invalid method case

Matthew Jonkman jonkman at ...3525...
Mon Jan 31 16:44:35 EST 2011


I have not seen or heard of this issue, that's generally a pretty solid sig.

How about trying the non http_* version? Just depth 5 instead of http_*

Matt


On Jan 31, 2011, at 4:37 PM, L0rd Ch0de1m0rt wrote:

> Hello snorters.  I am seeing alerts from this rule:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
> HTTP HEAD invalid method case"; flow:established,to_server;
> content:"head"; http_method; nocase; content:!"HEAD"; http_method;
> classtype:bad-unknown;
> reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
> reference:url,doc.emergingthreats.net/2011033;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Invalid_Method;
> sid:2011033; rev:7;)
> 
> But I go back and look at the logged packed by snort and only see this:
> 
> -----
> 
> 08:53:54.207874 IP s.r.f.r.46691 > s.u.x.s.80: R
> 2457731972:2457733232(1260) ack 1077321784 win 32768
> E...c........QQS...^M...P.~.. at ...3558... 0px 5px 5px; border-right:
> 2px dotted #cbcbcb; color: #558800;}
> #globalMiscContent {float: left; margin-top: 3px}
> #globalSearch {float: left; width:225px; height: 35px; margin: 5px 0px
> 5px 10px; color: #558800 /*#568900*/}
> #globalSearchContent {float: left; margin-top: 7px}
> 
> #pageBrandingLarge {float: left; width: 671px; height:205px;
> background-color:#e2e2e2; border-top: 1px solid #ffffff;}
> #pageBrandingSmall {float: left; width: 671px; height:33px;
> background-color:#e2e2e2; border-top: 1px solid #ffffff;}
> #pageLogin {float: left; width: 223px; height:239px;
> background-color:#f2f2f2; border-top: 1px solid #ffffff;border-right:
> 1px solid #ffffff;}
> 
> #loginHeader {height: 28px; background-color: #88bb00; padding-top: 8px;}
> .loginHeaderText {font-size: 16px; color: #fff; font-weight: bold;
> margin-left: 15px;}
> 
> #loginContent { font-size: 12px; color: #444;  margin: 10px 15px;}
> #loginContent a:link,#loginContent a:visited {color:#558800;
> font-size: 11px; font-weight: normal;}
> #loginContent a:hover,#loginContent a:active {color:#558800;
> font-size: 11px; text-decoration: underline;}
> .loginItem {background:url(img/arrowGray_Small.gif) no-repeat left;
> text-indent: 7px; color:#558800; margin: 4px 0px 3px 0px; }
> 
> #pageBrandingTop {he
> 
> -----
> 
> I am on the latest snort version, 2.9.0.3 and I compiled w/ gzip
> support and I have the http_inspect preprocessor enabled.  From
> snort.conf:
> 
> -----
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: \
>    server default \
>    apache_whitespace no \
>    ascii no \
>    bare_byte no \
>    chunk_length 500000 \
>    flow_depth 1460 \
>    directory no \
>    double_decode no \
>    iis_backslash no \
>    iis_delimiter no \
>    iis_unicode no \
>    multi_slash no \
>    non_strict \
>    oversize_dir_length 500 \
>    ports { 80 8080 8180 3128 } \
>    u_encode yes \
>    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>    webroot no \
>    server_flow_depth 0 \
>    client_flow_depth 0 \
>    post_depth 65495 \
>    oversize_dir_length 500 \
>    max_header_length 750 \
>    max_headers 100 \
>    enable_cookie \
>    extended_response_inspection \
>    inspect_gzip
> -----
> 
> Looking at the snort rule, it looks sound but it appears the
> appropriate HTTP buffers (e.g. http_method) are not getting populated
> correctly.  Is this the case?  I know the HTTP preprocessor has had
> some recent changes and has had *a lot* of issues in the past so I'm
> curious if this is a known bug and being worked on.
> 
> I am copying the EmergingThreats list too in case others are having
> problems and can help out.
> 
> Thanks.
> 
> -L0rd C.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc







More information about the Snort-sigs mailing list