[Snort-users] consensus on BASE

James Affeld jamesaffeld at ...131...
Thu Jun 1 19:39:02 EDT 2006


I love sguil.  It makes it easy to get the information
you most often want, and possible to get the rest -
and it scales to millions of events.  



--- snort-users-request at lists.sourceforge.net wrote:

> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web,
> visit
> 
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body
> 'help' to
> 	snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-users-admin at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> Today's Topics:
> 
>    1. RE: consensus on BASE (John Hally)
>    2. Snort In-Line on a Linux host running as a
> Bridge (Sam Evans)
>    3. RE: [Snort-devel] Possible Evasion in
> http_inspect (Joel Ebrahimi)
> 
> --__--__--
> 
> Message: 1
> From: John Hally <JHally at ...5637...>
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] consensus on BASE
> Date: Thu, 1 Jun 2006 08:22:16 -0400 
> 
> I run both BASE and commercial Aanval.  Aanval is a
> very good console for
> the price($99/sensor) and has much more reporting
> features and such.  
> 
> I agree w/the observations of sguil that it can be a
> pain to install.  
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of John Newman
> Sent: Friday, May 26, 2006 12:44 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] consensus on BASE
> 
> Is the consensus that BASE is the best web front-end
> for snort out there
> (and I mean free, open source stuff)?  What are
> people's experiences
> with sguil (which I realize is not web based).
> 
> thanks,
> 
> -- 
> John Newman
> Systems Administrator, WebXess Inc.
> 
> 
>
-------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without
> the Cost and Risk!
> Fully trained technicians. The highest number of Red
> Hat certifications in
> the hosting industry. Fanatical Support. Click to
> learn more
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> --__--__--
> 
> Message: 2
> Date: Thu, 1 Jun 2006 08:52:55 -0600
> From: "Sam Evans" <wintrmte at ...11827...>
> To: "snort-users @lists.sourceforge.net"
> <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Snort In-Line on a Linux host
> running as a Bridge
> 
> All,
> 
> I was wondering if anyone has any documentation on
> using Snort In-Line
> on a Linux host acting as a bridge?  I have never
> done this before
> (always use ip forwarding) but the project I am on
> is requiring that I
> bridge.
> 
> If anyone can point me in the right direction, I
> would appreciate it.
> 
> Thx,
> Sam
> 
> 
> --__--__--
> 
> Message: 3
> Date: Thu, 1 Jun 2006 09:19:58 -0700
> From: "Joel Ebrahimi" <jebrahimi at ...4451...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] RE: [Snort-devel] Possible
> Evasion in http_inspect
> 
> This is a multi-part message in MIME format.
> 
> ------_=_NextPart_001_01C68597.3A19080F
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> 
> It doesnt appear that the email I sent out prior to
> this to both the =
> devel list and users list ever made it through
> entirely( I see it on the =
> marc mirror but I never got it sent to me and it
> never seems to have =
> made it to users).
> Since the bypass is trivial to implement I would
> hope that this patch =
> could get reviewed by the devel/user community asap.
> Reposting yesterdays message below.
>
----------------------------------------------------------
> 
> A large scale Snort evasion has been discovered by
> Blake Hartstein, a =
> member of the Demarc Threat Research Team.
> =20
> The evasion technique allows an attack to bypass
> detection of =
> "uricontent" rules by adding a carriage return to
> the end of a URL, =
> directly before the HTTP protocol declaration.
> =20
> This affects thousands of rules in the standard
> Snort base rule sets.
> =20
> Due to the seriousness of this vulnerability, we
> have developed a =
> working patch for public review. See below.
> =20
> This patch addresses the carriage return bug and
> should catch the known =
> evasion attempts but further research needs to be
> done to determine if =
> there are any other possible impacts of this bug.
> The detection for =
> evasion is turned on by default under all profiles
> but can also be used =
> as a server configuration option:
> =20
> -----HTTP Inspect Server Configuration-----
> =20
> non_std_cr <yes|no>
> =20
> This option generates an alert when a non standard
> carriage return =
> character is detected in the URI. =20
> =20
> -----end-----
> =20
> 
> More information including a pre-patched tarball, a
> simple proof of =
> concept, and a copy of this patch can be found at=20
>
http://www.demarc.com/support/downloads/patch_20060531
> =20
> With the release of this information we have also
> released a fix to all =
> our Sentarus customers. If your auto-updates are
> turned on, then a patch =
> and all related updates have already been applied,
> or you can go into =
> your Sentarus management console and request an
> immediate update.
> =20
> =20
> // Joel=20
> =20
>  Joel Ebrahimi
>  Demarc Security, Inc.
>  jebrahimi at ...4451...
>  http://www.demarc.com/
> =20
> =20
> 
> -----Patch for Snort-2.4.4--
> =20
> diff -Nuar
>
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
> ---
>
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
> =
> 2005-03-16 13:52:18.000000000 -0800
> +++
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
> =
> 2006-05-30 22:54:44.000000000 -0700
> @@ -40,6 +40,7 @@
> =20
>  #define URI_END  1
>  #define NO_URI  -1
> +#define CR_IN_URI 18=20
>  #define INVALID_HEX_VAL -1
> =20
>  /**
> @@ -455,6 +456,11 @@
>          return URI_END;
>      }
> =20
> + if(isspace(**ptr) )
> + {
> +  return CR_IN_URI;
> + }
> +
>      return NO_URI;
>  }
> =20
> @@ -1345,8 +1351,21 @@
>                      */
>                      break;
>                  }
> +  else if(iRet =3D=3D CR_IN_URI)
> +  {
> +          =
>
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
> +          {
> +               =
>
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
> +                                   NULL, NULL);
> +   }
> +   break;
> +  }
> +
> +
> +
>                  else /* NO_URI */
>                  {
> +
>                      /*
>                      **  Check for chunk encoding,
> because the delimiter =
> can
>                      **  also be a space, which
> would look like a =
> pipeline request
> diff -Nuar =
>
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
> 
> ---
>
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
> =
> 2004-03-11 14:25:53.000000000 -0800
> +++ =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
>  2006-05-30 10:27:49.000000000 -0700
> @@ -64,7 +64,9 @@
>      {HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
>          HI_EO_CLIENT_PROXY_USE_STR },
>      {HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
> -        HI_EO_CLIENT_WEBROOT_DIR_STR }
> +        HI_EO_CLIENT_WEBROOT_DIR_STR },
> +    { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
> +        HI_EO_CLIENT_CR_IN_URI_STR },
>  };
> =20
>  static HI_EVENT_INFO =
> anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM]
> =3D {
> diff -Nuar =
>
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
> ---
>
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
> =
> 2004-03-11 14:25:53.000000000 -0800
> +++ =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
> =
> 2006-05-25 13:01:08.000000000 -0700
> @@ -24,13 +24,14 @@
>  #define HI_EO_CLIENT_LARGE_CHUNK    15  /* done */
>  #define HI_EO_CLIENT_PROXY_USE      16  /* done */
>  #define HI_EO_CLIENT_WEBROOT_DIR    17  /* done */
> +#define HI_EO_CLIENT_CR_IN_URI      18  /* done */
> =20
>  /*
>  **  IMPORTANT:
>  **  Every time you add a client event, this number
> must be
>  **  incremented.
>  */
> -#define HI_EO_CLIENT_EVENT_NUM      18
> +#define HI_EO_CLIENT_EVENT_NUM      19
> =20
>  /*
>  **  These defines are the alert names for each
> event
> @@ -71,6 +72,8 @@
>      "(http_inspect) UNAUTHORIZED PROXY USE
> DETECTED"
>  #define HI_EO_CLIENT_WEBROOT_DIR_STR               
>     \
>      "(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
> +#define HI_EO_CLIENT_CR_IN_URI_STR                 
>      \
> +    "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
> =20
>  /*
>  **  Anomalous Server Events
> diff -Nuar =
>
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
> ---
>
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
> =
> 2005-03-16 13:52:18.000000000 -0800
> +++ =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
> =
> 2006-05-30 09:44:18.000000000 -0700
> @@ -113,6 +113,7 @@
>      HTTPINSPECT_CONF_OPT webroot;
>      HTTPINSPECT_CONF_OPT apache_whitespace;
>      HTTPINSPECT_CONF_OPT iis_delimiter;
> +    HTTPINSPECT_CONF_OPT non_std_cr;
>     =20
>  }  HTTPINSPECT_CONF;
> =20
> diff -Nuar =
>
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
> fig.c
> --- =
>
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
> =
> 2005-03-16 13:52:19.000000000 -0800
> +++ =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
> fig.c 2006-05-30 23:00:25.000000000 -0700
> @@ -117,6 +117,9 @@
> =20
>      GlobalConf->global_server.non_strict =3D 1;
> =20
> +    GlobalConf->global_server.non_std_cr.on =3D 1;
> +    GlobalConf->global_server.non_std_cr.alert =3D
> 1;
> +
>      return HI_SUCCESS;
>  }
> =20
> @@ -209,6 +212,9 @@
> =20
>      ServerConf->tab_uri_delimiter =3D 1;
> =20
> +    ServerConf->non_std_cr.on =3D 1;
> +    ServerConf->non_std_cr.alert =3D 1;
> +
>      return HI_SUCCESS;
>  }
>     =20
> @@ -279,6 +285,9 @@
> =20
>      ServerConf->non_strict =3D 1;
> =20
> +    ServerConf->non_std_cr.on =3D 1;
> +    ServerConf->non_std_cr.alert =3D 1;
> +
>      return HI_SUCCESS;
>  }
> =20
> @@ -349,6 +358,9 @@
> =20
>      ServerConf->tab_uri_delimiter =3D 1;
> =20
> +    ServerConf->non_std_cr.on =3D 1;
> +    ServerConf->non_std_cr.alert =3D 1;
> +
>      return HI_SUCCESS;
>  }
> =20
> diff -Nuar
> snort-2.4.4/src/preprocessors/snort_httpinspect.c =
>
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
> ---
> snort-2.4.4/src/preprocessors/snort_httpinspect.c
> 2005-08-23 =
> 08:52:19.000000000 -0700
> +++
>
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
> 2006-05-30 =
> 10:33:54.000000000 -0700
> @@ -134,6 +134,7 @@
>  #define GLOBAL_ALERT      "no_alerts"
>  #define WEBROOT           "webroot"
>  #define TAB_URI_DELIMITER "tab_uri_delimiter"
> +#define NON_STD_CR    "non_std_cr"
> =20
>  /*
>  **  Alert subkeywords
> @@ -1449,6 +1450,15 @@
>                  return iRet;
>              }
>          }
> +        else if(!strcmp(NON_STD_CR, pcToken))
> +        {
> +            ConfOpt =3D &ServerConf->non_std_cr;
> +            if((iRet =3D ProcessConfOpt(ConfOpt,
> NON_STD_CR,
> +                                      ErrorString,
> ErrStrLen)))
> +            {
> +                return iRet;
> +            }
> +        }
>          else if(!strcmp(IIS_BACKSLASH, pcToken))
>          {
>              ConfOpt =3D &ServerConf->iis_backslash;
> @@ -1583,6 +1593,7 @@
>      PrintConfOpt(&ServerConf->webroot, "Web Root
> Traversal");
>      PrintConfOpt(&ServerConf->apache_whitespace,
> "Apache WhiteSpace");
>      PrintConfOpt(&ServerConf->iis_delimiter, "IIS
> Delimiter");
> +    PrintConfOpt(&ServerConf->non_std_cr, "Non-Std
> Carriage Return");
> =20
>      if(ServerConf->iis_unicode_map_filename)
>      {
> =20
> 
> -----end-----
> 
> =20
> 
> > -----Original Message-----
> > From: snort-devel-admin at lists.sourceforge.net=20
> > [mailto:snort-devel-admin at lists.sourceforge.net]
> On Behalf Of=20
> > Jennifer Steffens
> > Sent: Wednesday, May 31, 2006 3:28 PM
> > To: snort-devel at lists.sourceforge.net
> > Subject: [Snort-devel] Possible Evasion in
> http_inspect
> >=20
> > Sourcefire is aware of a possible Snort evasion
> that exists=20
> > in the http_inspect preprocessor.  This evasion
> case only=20
> > applies to protected Apache web servers. We have
> prepared=20
> > fixes for both the 2.4 and 2.6 branches and will
> have fully=20
> > tested releases, including binaries, available for
> both on=20
> > Monday, June 5th.
> >=20
> >=20
> > Evasion Details:
> >=20
> > The Apache web server supports special characters
> in HTTP=20
> > requests that do not affect the processing of the
> particular=20
> > request.  The current target-based profiles for
> Apache in the=20
> > http_inspect preprocessor do not properly handle
> these=20
> > requests, resulting in the possibility that an
> attacker can=20
> > bypass detection of rules that use the
> "uricontent" keyword=20
> > by embedding special characters in a HTTP request.
> >=20
> >=20
> > Background Information:
> >=20
> > It is important to note that this is an evasion
> and not a=20
> > vulnerability.
> > This means that while it is possible for an
> attacker to=20
> > bypass detection, Snort sensors and the networks
> they protect=20
> > are not at a heightened risk of other attacks.
> >=20
> >=20
> > Timeline:
> >=20
> > Sourcefire has prepared fixes and is currently
> finalizing a=20
> > complete round of testing to ensure that the fixes
> not only=20
> > solve the issue at hand but do not create new bugs
> as well.=20
> > The following releases, including binaries for
> Linux and=20
> > Windows deployments, will be available on Monday,
> June 5th:
> >=20
> > * Snort v2.4.5
> > * Snort v2.6.0 final
> >=20
> >=20
> > Questions:
> >=20
> > Any questions regarding these releases can be sent
> to=20
> > snort-team at ...3990...
> >=20
> > Thanks,
> > Jennifer
> >=20
> >=20
> > --
> > Jennifer S. Steffens
> > Director, Product Management - Snort
> > Sourcefire - Security for the Real World
> > W: 410.423.1930 | C: 202.409.7707
> > www.sourcefire.com | www.snort.org
> >=20
> >=20
> >=20
> >=20
> 
> 
> 
> =20
> 
> ------_=_NextPart_001_01C68597.3A19080F
> Content-Type: text/html;
> 	charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type"
> CONTENT=3D"text/html; =
> charset=3Diso-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange
> Server version =
> 6.5.7638.1">
> <TITLE>RE: [Snort-devel] Possible Evasion in
> http_inspect</TITLE>
> </HEAD>
> <BODY>
> <!-- Converted from text/plain format -->
> <BR>
> 
> <P><FONT SIZE=3D2>It doesnt appear that the email I
> sent out prior to =
> this to both the devel list and users list ever made
> it through =
> entirely( I see it on the marc mirror but I never
> got it sent to me and =
> it never seems to have made it to users).<BR>
> Since the bypass is trivial to implement I would
> hope that this patch =
> could get reviewed by the devel/user community
> asap.<BR>
> Reposting yesterdays message below.<BR>
>
----------------------------------------------------------<BR>
> <BR>
> A large scale Snort evasion has been discovered by
> Blake Hartstein, a =
> member of the Demarc Threat Research Team.<BR>
> <BR>
> The evasion technique allows an attack to bypass
> detection of =
> "uricontent" rules by adding a carriage
> return to the end of a =
> URL, directly before the HTTP protocol
> declaration.<BR>
> <BR>
> This affects thousands of rules in the standard
> Snort base rule =
> sets.<BR>
> <BR>
> Due to the seriousness of this vulnerability, we
> have developed a =
> working patch for public review. See below.<BR>
> <BR>
> This patch addresses the carriage return bug and
> should catch the known =
> evasion attempts but further research needs to be
> done to determine if =
> there are any other possible impacts of this bug.
> The detection for =
> evasion is turned on by default under all profiles
> but can also be used =
> as a server configuration option:<BR>
> <BR>
> -----HTTP Inspect Server Configuration-----<BR>
> <BR>
> non_std_cr <yes|no><BR>
> <BR>
> This option generates an alert when a non standard
> carriage return =
> character is detected in the URI. <BR>
> <BR>
> -----end-----<BR>
> <BR>
> <BR>
> More information including a pre-patched tarball, a
> simple proof of =
> concept, and a copy of this patch can be found
> at<BR>
> <A =
>
HREF=3D"http://www.demarc.com/support/downloads/patch_20060531">http://ww=
>
w.demarc.com/support/downloads/patch_20060531</A><BR>
> <BR>
> With the release of this information we have also
> released a fix to all =
> our Sentarus customers. If your auto-updates are
> turned on, then a patch =
> and all related updates have already been applied,
> or you can go into =
> your Sentarus management console and request an
> immediate update.<BR>
> <BR>
> <BR>
> // Joel<BR>
> <BR>
>  Joel Ebrahimi<BR>
>  Demarc Security, Inc.<BR>
>  jebrahimi at ...4451...<BR>
>  <A
>
HREF=3D"http://www.demarc.com/">http://www.demarc.com/</A><BR>
> <BR>
> <BR>
> <BR>
> -----Patch for Snort-2.4.4--<BR>
> <BR>
> diff -Nuar
>
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c<BR>
> ---
>
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
> =
> 2005-03-16 13:52:18.000000000 -0800<BR>
> +++
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
> =
> 2006-05-30 22:54:44.000000000 -0700<BR>
> @@ -40,6 +40,7 @@<BR>
> <BR>
>  #define URI_END  1<BR>
>  #define NO_URI  -1<BR>
> +#define CR_IN_URI 18<BR>
>  #define INVALID_HEX_VAL -1<BR>
> <BR>
>  /**<BR>
> @@ -455,6 +456,11 @@<BR>
>         
> return URI_END;<BR>
>      }<BR>
> <BR>
> + if(isspace(**ptr) )<BR>
> + {<BR>
> +  return CR_IN_URI;<BR>
> + }<BR>
> +<BR>
>      return NO_URI;<BR>
>  }<BR>
> <BR>
> @@ -1345,8 +1351,21 @@<BR>
>
            &=
> nbsp;       
> */<BR>
>
            &=
> nbsp;       
> break;<BR>
>
            &=
> nbsp;    }<BR>
> +  else if(iRet =3D=3D CR_IN_URI)<BR>
> +  {<BR>
>
+         
> =
>
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))<BR>
>
+         
> {<BR>
>
+            =
>    =
>
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,<BR>
>
+            =
>
            &=
>
nbsp;         
> NULL, =
> NULL);<BR>
> +   }<BR>
> +   break;<BR>
> +  }<BR>
> +<BR>
> +<BR>
> +<BR>
>
            &=
> nbsp;    else /* NO_URI */<BR>
>
            &=
> nbsp;    {<BR>
> +<BR>
>
            &=
> nbsp;       
> /*<BR>
>
            &=
> nbsp;       
> **  Check for chunk =
> encoding, because the delimiter can<BR>
>
            &=
> nbsp;       
> **  also be a =
> space, which would look like a pipeline request<BR>
> diff -Nuar =
>
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
> <BR>
> ---
>
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
> =
> 2004-03-11 14:25:53.000000000 -0800<BR>
> +++ =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
>  2006-05-30 10:27:49.000000000 -0700<BR>
> @@ -64,7 +64,9 @@<BR>
>      {HI_EO_CLIENT_PROXY_USE, =
> HI_EO_LOW_PRIORITY,<BR>
>          =
> HI_EO_CLIENT_PROXY_USE_STR },<BR>
>      {HI_EO_CLIENT_WEBROOT_DIR,
> =
> HI_EO_HIGH_PRIORITY,<BR>
> -       
> HI_EO_CLIENT_WEBROOT_DIR_STR =
> }<BR>
> +       
> HI_EO_CLIENT_WEBROOT_DIR_STR =
> },<BR>
> +    { HI_EO_CLIENT_CR_IN_URI,
> HI_EO_MED_PRIORITY,<BR>
> +       
> HI_EO_CLIENT_CR_IN_URI_STR =
> },<BR>
>  };<BR>
> <BR>
>  static HI_EVENT_INFO =
> anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM]
> =3D {<BR>
> diff -Nuar =
>
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h<B=
> R>
> ---
>
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
> =
> 2004-03-11 14:25:53.000000000 -0800<BR>
> +++ =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
> =
> 2006-05-25 13:01:08.000000000 -0700<BR>
> @@ -24,13 +24,14 @@<BR>
>  #define
> HI_EO_CLIENT_LARGE_CHUNK    15 
> /* =
> done */<BR>
>  #define
> HI_EO_CLIENT_PROXY_USE     
> =
> 16  /* done */<BR>
>  #define
> HI_EO_CLIENT_WEBROOT_DIR    17 
> /* =
> done */<BR>
> +#define
> HI_EO_CLIENT_CR_IN_URI     
> 18  =
> /* done */<BR>
> <BR>
>  /*<BR>
>  **  IMPORTANT:<BR>
>  **  Every time you add a client event,
> this number must =
> be<BR>
>  **  incremented.<BR>
>  */<BR>
> -#define
> HI_EO_CLIENT_EVENT_NUM     
> 18<BR>
> +#define
> HI_EO_CLIENT_EVENT_NUM     
> 19<BR>
> <BR>
>  /*<BR>
>  **  These defines are the alert names for
> each event<BR>
> @@ -71,6 +72,8 @@<BR>
>      "(http_inspect)
> UNAUTHORIZED PROXY USE =
> DETECTED"<BR>
>  #define =
>
HI_EO_CLIENT_WEBROOT_DIR_STR       &nb=
>
sp;           
> =
> \<BR>
>      "(http_inspect)
> WEBROOT DIRECTORY =
> TRAVERSAL"<BR>
> +#define =
>
HI_EO_CLIENT_CR_IN_URI_STR       &nbsp=
>
;            =
>    \<BR>
> +    "(http_inspect) NON-STD
> CARRIAGE RETURN IN =
> URI"<BR>
> <BR>
>  /*<BR>
>  **  Anomalous Server Events<BR>
> diff -Nuar =
>
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h<B=
> R>
> ---
>
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
> =
> 2005-03-16 13:52:18.000000000 -0800<BR>
> +++ =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
> =
> 2006-05-30 09:44:18.000000000 -0700<BR>
> @@ -113,6 +113,7 @@<BR>
>      HTTPINSPECT_CONF_OPT
> webroot;<BR>
>      HTTPINSPECT_CONF_OPT
> apache_whitespace;<BR>
>      HTTPINSPECT_CONF_OPT
> iis_delimiter;<BR>
> +    HTTPINSPECT_CONF_OPT
> non_std_cr;<BR>
>     <BR>
>  }  HTTPINSPECT_CONF;<BR>
> <BR>
> diff -Nuar =
>
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
> =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
> fig.c<BR>
> --- =
>
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
> =
> 2005-03-16 13:52:19.000000000 -0800<BR>
> +++ =
>
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
> fig.c 2006-05-30 23:00:25.000000000 -0700<BR>
> @@ -117,6 +117,9 @@<BR>
> <BR>
>     
> GlobalConf->global_server.non_strict =3D =
> 1;<BR>
> <BR>
> +   
> GlobalConf->global_server.non_std_cr.on =3D =
> 1;<BR>
> +   
> GlobalConf->global_server.non_std_cr.alert =3D =
> 1;<BR>
> +<BR>
>      return HI_SUCCESS;<BR>
>  }<BR>
> <BR>
> @@ -209,6 +212,9 @@<BR>
> <BR>
>     
> ServerConf->tab_uri_delimiter =3D 1;<BR>
> <BR>
> +    ServerConf->non_std_cr.on =3D
> 1;<BR>
> +    ServerConf->non_std_cr.alert
> =3D 1;<BR>
> +<BR>
>      return HI_SUCCESS;<BR>
>  }<BR>
>     <BR>
> @@ -279,6 +285,9 @@<BR>
> <BR>
>      ServerConf->non_strict
> =3D 1;<BR>
> <BR>
> +    ServerConf->non_std_cr.on =3D
> 1;<BR>
> +    ServerConf->non_std_cr.alert
> =3D 1;<BR>
> +<BR>
>      return HI_SUCCESS;<BR>
>  }<BR>
> <BR>
> @@ -349,6 +358,9 @@<BR>
> <BR>
>     
> ServerConf->tab_uri_delimiter =3D 1;<BR>
> <BR>
> +    ServerConf->non_std_cr.on =3D
> 1;<BR>
> +    ServerConf->non_std_cr.alert
> =3D 1;<BR>
> +<BR>
>      return HI_SUCCESS;<BR>
>  }<BR>
> <BR>
> diff -Nuar
> snort-2.4.4/src/preprocessors/snort_httpinspect.c =
>
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c<BR>
> ---
> snort-2.4.4/src/preprocessors/snort_httpinspect.c
> 2005-08-23 =
> 08:52:19.000000000 -0700<BR>
> +++
>
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
> 2006-05-30 =
> 10:33:54.000000000 -0700<BR>
> @@ -134,6 +134,7 @@<BR>
>  #define
> GLOBAL_ALERT      =
> "no_alerts"<BR>
>  #define =
>
WEBROOT          
> =
> "webroot"<BR>
>  #define TAB_URI_DELIMITER
> "tab_uri_delimiter"<BR>
> +#define NON_STD_CR   
> "non_std_cr"<BR>
> <BR>
>  /*<BR>
>  **  Alert subkeywords<BR>
> @@ -1449,6 +1450,15 @@<BR>
>
            &=
> nbsp;    return iRet;<BR>
>
            
> =
> }<BR>
>         
> }<BR>
> +        else
> if(!strcmp(NON_STD_CR, =
> pcToken))<BR>
> +        {<BR>
>
+           
> =
> ConfOpt =3D &ServerConf->non_std_cr;<BR>
>
+           
> =
> if((iRet =3D ProcessConfOpt(ConfOpt, NON_STD_CR,<BR>
>
+            =
>
            &=
>
nbsp;           &n=
> bsp; ErrorString, ErrStrLen)))<BR>
>
+           
> =
> {<BR>
>
+            =
>     return iRet;<BR>
>
+           
> =
> }<BR>
> +        }<BR>
>         
> else =
> if(!strcmp(IIS_BACKSLASH, pcToken))<BR>
>         
> {<BR>
>
            
> =
> ConfOpt =3D &ServerConf->iis_backslash;<BR>
> @@ -1583,6 +1593,7 @@<BR>
>     
> PrintConfOpt(&ServerConf->webroot, =
> "Web Root Traversal");<BR>
>      =
> PrintConfOpt(&ServerConf->apache_whitespace,
> "Apache =
> WhiteSpace");<BR>
>     
> PrintConfOpt(&ServerConf->iis_delimiter, =
> "IIS Delimiter");<BR>
> +   
> PrintConfOpt(&ServerConf->non_std_cr, =
> "Non-Std Carriage Return");<BR>
> <BR>
>     
> if(ServerConf->iis_unicode_map_filename)<BR>
>      {<BR>
> <BR>
> <BR>
> -----end-----<BR>
> <BR>
> <BR>
> <BR>
> > -----Original Message-----<BR>
> > From:
> snort-devel-admin at lists.sourceforge.net<BR>
> > [<A =
>
HREF=3D"mailto:snort-devel-admin at lists.sourceforge.net">mailto:snort-deve=
> l-admin at lists.sourceforge.net</A>] On Behalf Of<BR>
> > Jennifer Steffens<BR>
> > Sent: Wednesday, May 31, 2006 3:28 PM<BR>
> > To: snort-devel at lists.sourceforge.net<BR>
> > Subject: [Snort-devel] Possible Evasion in
> http_inspect<BR>
> ><BR>
> > Sourcefire is aware of a possible Snort evasion
> that exists<BR>
> > in the http_inspect preprocessor.  This
> evasion case only<BR>
> > applies to protected Apache web servers. We
> have prepared<BR>
> > fixes for both the 2.4 and 2.6 branches and
> will have fully<BR>
> > tested releases, including binaries, available
> for both on<BR>
> > Monday, June 5th.<BR>
> ><BR>
> ><BR>
> > Evasion Details:<BR>
> ><BR>
> > The Apache web server supports special
> characters in HTTP<BR>
> > requests that do not affect the processing of
> the particular<BR>
> > request.  The current target-based
> profiles for Apache in =
> the<BR>
> > http_inspect preprocessor do not properly
> handle these<BR>
> > requests, resulting in the possibility that an
> attacker can<BR>
> > bypass detection of rules that use the
> "uricontent" =
> keyword<BR>
> > by embedding special characters in a HTTP
> request.<BR>
> ><BR>
> ><BR>
> > Background Information:<BR>
> ><BR>
> > It is important to note that this is an evasion
> and not a<BR>
> > vulnerability.<BR>
> > This means that while it is possible for an
> attacker to<BR>
> > bypass detection, Snort sensors and the
> networks they protect<BR>
> > are not at a heightened risk of other
> attacks.<BR>
> ><BR>
> ><BR>
> > Timeline:<BR>
> ><BR>
> > Sourcefire has prepared fixes and is currently
> finalizing a<BR>
> > complete round of testing to ensure that the
> fixes not only<BR>
> > solve the issue at hand but do not create new
> bugs as well.<BR>
> > The following releases, including binaries for
> Linux and<BR>
> > Windows deployments, will be available on
> Monday, June 5th:<BR>
> ><BR>
> > * Snort v2.4.5<BR>
> > * Snort v2.6.0 final<BR>
> ><BR>
> ><BR>
> > Questions:<BR>
> ><BR>
> > Any questions regarding these releases can be
> sent to<BR>
> > snort-team at ...3990...<BR>
> ><BR>
> > Thanks,<BR>
> > Jennifer<BR>
> ><BR>
> ><BR>
> > --<BR>
> > Jennifer S. Steffens<BR>
> > Director, Product Management - Snort<BR>
> > Sourcefire - Security for the Real World<BR>
> > W: 410.423.1930 | C: 202.409.7707<BR>
> > www.sourcefire.com | www.snort.org<BR>
> ><BR>
> ><BR>
> ><BR>
> ><BR>
> <BR>
> <BR>
> <BR>
> <BR>
> </FONT>
> </P>
> 
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C68597.3A19080F--
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Snort-users mailing list