[Snort-users] New Vision Rule Problems (not?)

Christopher Cramer cec at ...68...
Sun Aug 20 23:29:03 EDT 2000


I see the same problems under Snort 1.6.3 on a Solaris 2.7 box.  

The error is:

ERROR Line 1 => Content data needs to be enclosed in quotation marks (")!


The solution is fairly simple, rewrite the rule as:

alert TCP any any -> any 80 (msg: "IDS305/web-IIS view source via
  Translate header"; content: "Translate\: F"; nocase; flags: AP;)

Basically, prepend the : with a \.  What is happening is that the rules
parser is making a call to mSplit().  This function is splitting based on
the ':'.  The way of avoiding this is to use the "meta" character, which
in the case of the rules call to mSplit is \, to indicate that this
particular : should not indicate a token separator.  

The fact that the text in question is enclosed in quotes makes no
difference to mSplit.  So, mSplit gives a token that isn't enclosed in
quotes, and the content plugin hangs up on it.

-Chris

----------------------------------------------------------------------
Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...


On Sun, 20 Aug 2000, Michael Davis wrote:

> Hello,
> 
> >  We don't treat colon (`:') as any special character in content argument
> > parsing routine (have a look on parse-pattern). Basically only following
> > rules apply to content argument:
> 
> It appears to to try to parse the colon as another delimiter, such as when
> it splits 'content: "|0980|" '
> into 'content' and ' "|0980|" '
> 
> If you compile mstring.c with DEBUG you can see what is happening:
> mSplit got 2 tokens!
> [*] Splitting string:  content: "Translate: F"
> curr_str = 0
> max_strs = 3  curr_str = 0
> Allocating 9 bytes for token tok[0]:  content
> curr_str = 1
> max_strs = 3  curr_str = 1
> Checking if curr_str (1) >= max_strs (3)
> Allocating 12 bytes for token tok[1]:  "Translate
> curr_str = 2
> max_strs = 3  curr_str = 2
> Checking if curr_str (2) >= max_strs (3)
> Allocating 4 bytes for last token tok[2]:  F"
> mSplit got 3 tokens!
> ERROR Line 92 => Content data needs to be enclosed in quotation marks (")!
> 
> This is as far as I have gotten in debugging the problem.
> 
> As stated before it does not appear to be WIN32 specific. I have tested the
> rule on a Debian Linux machine, FreeBSD 4.0 machine, and WIN32. All using
> default builds (./configure ; make)
> 
> Michael Davis
> Chief Technical Officer
> Data Nerds, LLC.
> http://www.datanerds.net
> 
> > all characters should be in range from 0x1f - 0x7e (strange, I would put
> > 0x20 for startes, and 0x80 for endings ;-)), if character is `|' and it's
> > not prepended by literal character ('\') parser enters hex mode, where
> > only 0-9a-fA-F  (verified by isxdigit(3)) and spaces are allowed. |
> > switches back to `normal' mode. That's it.
> >
> > By the way, would you mind to elaborate `have the problem'. Are you
> > getting any error message or the rule just `doesn't seem to work'? (sorry
> > if I missed any details in earlier posts under this thread).
> >
> >
> >
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 








More information about the Snort-users mailing list