[Snort-users] snort http_inspect

sgt_b sgt_b at ...11733...
Tue May 11 10:02:04 EDT 2004


Hey Matteo,

I've run the exact same thing in my lab, and snort picks up the chunked 
encoding, as well as the http_inspect alert you mentioned. I tested this 
using Nessus 2.0.10a and its Apache Chunked Encoding vulnerability plugin.
Perhaps your attack simply doesn't match the rule. a packet trace might 
help.

sgt_b

nyarlathothep at ...2470... wrote:

>Hello everyone,
>I have a question about the use of the Snorts preprocessors:
>I've installed Snort on  a Linux box and I've tried from outside to do a APACHE
>CHUNKED ENCODE (Bugtraq ID: 5033, CVE:). 
>Snort records in the database only the http_inspect data, so :  (http_inspect)
>OVERSIZE CHUNK ENCODING    	
>but it dsnt activate the rules, one of those I think:
>
>web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>(msg:"WEB-MISC Apache Chunked-Encoding worm attempt";
>flow:to_server,established; content:"CCCCCCC\: AAAAAAAAAAAAAAAAAAA"; nocase;
>classtype:web-application-attack; reference:bugtraq,4474;
>reference:cve,CAN-2002-0079;reference:bugtraq,5033; reference:cve,CAN-2002-0392;
>sid:1809; rev:2;)
>
>web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>(msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established;
>content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase;
>classtype:web-application-attack; reference:bugtraq,4474;
>reference:cve,CAN-2002-0079; reference:bugtraq,5033;
>reference:cve,CAN-2002-0392; sid:1807; rev:2;)
>
>web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>(msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt";
>flow:established,to_server; content:"|C0 50 52 89 E1 50 51 52 50 B8 3B 00 00 00
>CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392;
>classtype:web-application-activity; sid:1808; rev:3;)
>
>
>In fact I need the rules, that show me the correct ref ID (bugtraq and so on) to
>correlate the snort data with the VA.
>
>Could someone help me? I have to deactivate the preprocessor?
>
>Thanks ,
>
>Matteo
>
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by Sleepycat Software
>Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
>deliver higher performing products faster, at low TCO.
>http://www.sleepycat.com/telcomwpreg.php?From=dnemail3
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
>  
>





More information about the Snort-users mailing list