[Snort-users] snort http_inspect

nyarlathothep@libero.it nyarlathothep at ...2470...
Tue May 11 05:16:08 EDT 2004


Hello everyone,
I have a question about the use of the Snorts preprocessors:
I've installed Snort on  a Linux box and I've tried from outside to do a APACHE
CHUNKED ENCODE (Bugtraq ID: 5033, CVE:).
Snort records in the database only the http_inspect data, so :  (http_inspect)
OVERSIZE CHUNK ENCODING
but it dsnt activate the rules, one of those I think:

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC Apache Chunked-Encoding worm attempt";
flow:to_server,established; content:"CCCCCCC\: AAAAAAAAAAAAAAAAAAA"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079;reference:bugtraq,5033; reference:cve,CAN-2002-0392;
sid:1809; rev:2;)

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established;
content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079; reference:bugtraq,5033;
reference:cve,CAN-2002-0392; sid:1807; rev:2;)

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt";
flow:established,to_server; content:"|C0 50 52 89 E1 50 51 52 50 B8 3B 00 00 00
CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392;
classtype:web-application-activity; sid:1808; rev:3;)


In fact I need the rules, that show me the correct ref ID (bugtraq and so on) to
correlate the snort data with the VA.

Could someone help me? I have to deactivate the preprocessor?

Thanks ,

Matteo






More information about the Snort-users mailing list