[Snort-users] HTTP preprocessor and POST data

Crook, Parker Parker_Crook at ...14786...
Fri Mar 26 13:50:55 EDT 2010


Xavi,



You might want to change the content:"include=.."; to either

content:"include=.."; http_uri;

OR

uricontent:"include=..";



As it is currently, you're not normalizing that string.



-Parker

  _____

From: Xavi Garcia [mailto:xavi.garcia at ...11827...]
Sent: Friday, March 26, 2010 1:27 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] HTTP preprocessor and POST data



Hi,

I am using the following rule to test a local file inclusion.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local file inclusion POST"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/index.php"; nocase; content:"include=.."; nocase;  classtype:web-application-attack;  sid:20000000; rev:1;)

that catches the following attack:

curl  -d "include=../../../../../../../../../../../../../../../../../../../../../etc/passwd%00" "http://192.168.178.29/index.php"

But fails when I encode the data in Hex.

curl  -d "include=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd%00" "http://192.168.178.29/index.php"

I have checked the Changelog and the POST data should be
normalized, but I cannot find how to match against this normalized data.

007-04-27 Steven Sturges <ssturges at ...1935...<mailto:ssturges at ...1935...>>
Update to normalize the body of a client request to allow
rules to check specifically for parameters of a POST or GET request.
Also add stats that are part of the hourly stats that track
various HTTP encodings and normalizations that have occurred.


Perhaps the preprocessor is misconfigured ...

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: \
    server default profile apache \
    client_flow_depth 1460 \
    ports { 80  }  \
    normalize_headers \
    normalize_cookies \
    post_depth 65495


Regards,

Xavier Garcia

2010/3/25 Xavi Garcia <xavi.garcia at ...11827...<mailto:xavi.garcia at ...14459.....>>

Hi,

Thank you for your fast answer.

As far I understand, http_uri  works like uricontent.
It is useful to fix the the resource being requested
but then we have to match against the data. I have
only been able to do so when I use "content"
without modifiers.

Regards,

Xavier Garcia

2010/3/25 Crook, Parker <Parker_Crook at ...14786...<mailto:Parker_Crook at ...14511...786...>>



Xavi,



You can definitely use the (content:"POST"; http_method;) to alert only on POST data; however for the data normalization, I'm having a brain-fart right now... maybe somebody else knows, perhaps content:"<match_string>"; http_uri; pcre:"<more specific criteria>";



-Parker




  _____


From: Xavi Garcia [mailto:xavi.garcia at ...11827...<mailto:xavi.garcia at ...14540...27...>]
Sent: Thursday, March 25, 2010 2:27 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] HTTP preprocessor and POST data



Hi,

I am learning how HTTP Inspect works and also trying
to write some rules that use normalized data. I think that
all is explained in the documentation and you have done
a great job, but I have a doubt regarding the POST data.

I am sure that my question is too obvious, but I have tried
to find the right answer by myself without luck. :)

I see that the newer versions of Snort permit to normalize
data from the URI, headers, cookies and the body, but there
is nothing about the POST data. I have tried to use the
different modifiers for  "content" without luck.

I understand that POST data cannot be normalized, but
there is no mention in the documentation. Am I wrong?
In that case, which is the best practice when I want to
detect an attack that is using POST instead of GET?

Thank you very much for your help :)

Regards,

Xavier Garcia





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100326/762a96ef/attachment.html>


More information about the Snort-users mailing list