[Snort-users] HTTP preprocessor and POST data

Xavi Garcia xavi.garcia at ...11827...
Fri Mar 26 13:26:58 EDT 2010


Hi,

I am using the following rule to test a local file inclusion.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local
file inclusion POST"; flow:to_server,established;content:"POST"; nocase;
http_method; uricontent:"/index.php"; nocase; content:"include=.."; nocase;
classtype:web-application-attack;  sid:20000000; rev:1;)

that catches the following attack:

curl  -d
"include=../../../../../../../../../../../../../../../../../../../../../etc/passwd%00"
"http://192.168.178.29/index.php"

But fails when I encode the data in Hex.

curl  -d
"include=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd%00"
"http://192.168.178.29/index.php"

I have checked the Changelog and the POST data should be
normalized, but I cannot find how to match against this normalized data.

007-04-27 Steven Sturges <ssturges at ...1935...>

Update to normalize the body of a client request to
allow

rules to check specifically for parameters of a POST or GET request.
Also add stats that are part of the hourly stats that
track

various HTTP encodings and normalizations that have occurred.


Perhaps the preprocessor is misconfigured ...

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: \
    server default profile apache \
    client_flow_depth 1460 \
    ports { 80  }  \
    normalize_headers \
    normalize_cookies \
    post_depth 65495


Regards,

Xavier Garcia

2010/3/25 Xavi Garcia <xavi.garcia at ...11827...>

> Hi,
>
> Thank you for your fast answer.
>
> As far I understand, http_uri  works like uricontent.
> It is useful to fix the the resource being requested
> but then we have to match against the data. I have
> only been able to do so when I use "content"
> without modifiers.
>
> Regards,
>
> Xavier Garcia
>
> 2010/3/25 Crook, Parker <Parker_Crook at ...14786...>
>
>  Xavi,
>>
>>
>>
>> You can definitely use the (content:”POST”; http_method;) to alert only on
>> POST data; however for the data normalization, I’m having a brain-fart right
>> now… maybe somebody else knows, perhaps content:”<match_string>”; http_uri;
>> pcre:”<more specific criteria>”;
>>
>>
>>
>> -Parker
>>
>>
>>  ------------------------------
>>
>> *From:* Xavi Garcia [mailto:xavi.garcia at ...11827...]
>> *Sent:* Thursday, March 25, 2010 2:27 PM
>> *To:* snort-users at lists.sourceforge.net
>> *Subject:* [Snort-users] HTTP preprocessor and POST data
>>
>>
>>
>> Hi,
>>
>> I am learning how HTTP Inspect works and also trying
>> to write some rules that use normalized data. I think that
>> all is explained in the documentation and you have done
>> a great job, but I have a doubt regarding the POST data.
>>
>> I am sure that my question is too obvious, but I have tried
>> to find the right answer by myself without luck. :)
>>
>> I see that the newer versions of Snort permit to normalize
>> data from the URI, headers, cookies and the body, but there
>> is nothing about the POST data. I have tried to use the
>> different modifiers for  "content" without luck.
>>
>> I understand that POST data cannot be normalized, but
>> there is no mention in the documentation. Am I wrong?
>> In that case, which is the best practice when I want to
>> detect an attack that is using POST instead of GET?
>>
>> Thank you very much for your help :)
>>
>> Regards,
>>
>> Xavier Garcia
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100326/671d6431/attachment.html>


More information about the Snort-users mailing list