[Snort-users] HTTP preprocessor and POST data

Crook, Parker Parker_Crook at ...14786...
Fri Mar 26 16:07:43 EDT 2010


Xavi,



I have included the snort sigs group on this so they can weigh in, as I have to wrap up the day with project reports...



I did a snort capture of the traffic generated by the curl script you have (modified for my box) and the results are below:



+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



03/26-09:04:38.910626 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x189

192.168.1.200:42440 -> 192.168.1.200:80 TCP TTL:64 TOS:0x0 ID:64562 IpLen:20 DgmLen:379 DF

***AP*** Seq: 0x34BFD130  Ack: 0x3538CC8B  Win: 0x201  TcpLen: 32

TCP Options (3) => NOP NOP TS: 628501791 628501791

50 4F 53 54 20 2F 69 6E 64 65 78 2E 70 68 70 20            POST /index.php

48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41           HTTP/1.1..User-A

67 65 6E 74 3A 20 63 75 72 6C 2F 37 2E 31 38 2E          gent: curl/7.18.

32 20 28 69 34 38 36 2D 70 63 2D 6C 69 6E 75 78           2 (i486-pc-linux

2D 67 6E 75 29 20 6C 69 62 63 75 72 6C 2F 37 2E          -gnu) libcurl/7.

31 38 2E 32 20 4F 70 65 6E 53 53 4C 2F 30 2E 39           18.2 OpenSSL/0.9

2E 38 67 20 7A 6C 69 62 2F 31 2E 32 2E 33 2E 33          8g zlib/1.2.3.3

20 6C 69 62 69 64 6E 2F 31 2E 38 20 6C 69 62 73           libidn/1.8 libs

73 68 32 2F 30 2E 31 38 0D 0A 48 6F 73 74 3A 20           sh2/0.18..Host:

31 39 32 2E 31 36 38 2E 31 2E 32 30 30 0D 0A 41           192.168.1.200..A

63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E 74          ccept: */*..Cont

65 6E 74 2D 4C 65 6E 67 74 68 3A 20 38 34 0D 0A           ent-Length: 84..

43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70           Content-Type: ap

70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D           plication/x-www-

66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D          form-urlencoded.

0A 0D 0A 69 6E 63 6C 75 64 65 3D 2E 2E 2F 2E 2E        ...include=../..

2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F        /../../../../../

2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E      ../../../../../.

2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E      ./../../../../..

2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 65 74 63 2F 70 61         /../../../etc/pa

73 73 77 64 25 30 30                                                      sswd%00



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



-Parker

  _____

From: Xavi Garcia [mailto:xavi.garcia at ...11827...]
Sent: Friday, March 26, 2010 2:16 PM
To: Crook, Parker
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] HTTP preprocessor and POST data



Parker,

I have tried with  http_uri and uricontent but there is not alert.


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local file inclusion POST"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/index.php"; nocase; uricontent:"include"; nocase;  classtype:web-application-attack;  sid:20000001; rev:1;)

This are the statistics after executing snort:

HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                   2
    GET methods:                    0
    Headers extracted:              2
    Header Cookies extracted:       0
    Post parameters extracted:      2
    Unicode:                        0
    Double unicode:                 0
    Non-ASCII representable:        0
    Base 36:                        0
    Directory traversals:           26
    Extra slashes ("//"):           0
    Self-referencing paths ("./"):  26
    Total packets processed:        10

Is see " Post parameters extracted:      2".   Perhaps it is related.


Regards,

Xavier Garcia



2010/3/26 Crook, Parker <Parker_Crook at ...14786...<mailto:Parker_Crook at ...14511...786...>>

Xavi,

 You might want to change the content:"include=.."; to either

content:"include=.."; http_uri;

OR

uricontent:"include=..";

 As it is currently, you're not normalizing that string.

 -Parker

  _____

From: Xavi Garcia [mailto:xavi.garcia at ...11827...<mailto:xavi.garcia at ...14540...27...>]
Sent: Friday, March 26, 2010 1:27 PM


To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>

Subject: Re: [Snort-users] HTTP preprocessor and POST data



Hi,

I am using the following rule to test a local file inclusion.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local file inclusion POST"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/index.php"; nocase; content:"include=.."; nocase;  classtype:web-application-attack;  sid:20000000; rev:1;)

that catches the following attack:

curl  -d "include=../../../../../../../../../../../../../../../../../../../../../etc/passwd%00" "http://192.168.178.29/index.php"

But fails when I encode the data in Hex.

curl  -d "include=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd%00" "http://192.168.178.29/index.php"

I have checked the Changelog and the POST data should be
normalized, but I cannot find how to match against this normalized data.

007-04-27 Steven Sturges <ssturges at ...1935...<mailto:ssturges at ...1935...>>
Update to normalize the body of a client request to allow
rules to check specifically for parameters of a POST or GET request.
Also add stats that are part of the hourly stats that track
various HTTP encodings and normalizations that have occurred.


Perhaps the preprocessor is misconfigured ...

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: \
    server default profile apache \
    client_flow_depth 1460 \
    ports { 80  }  \
    normalize_headers \
    normalize_cookies \
    post_depth 65495


Regards,

Xavier Garcia

2010/3/25 Xavi Garcia <xavi.garcia at ...11827...<mailto:xavi.garcia at ...14459.....>>

Hi,

Thank you for your fast answer.

As far I understand, http_uri  works like uricontent.
It is useful to fix the the resource being requested
but then we have to match against the data. I have
only been able to do so when I use "content"
without modifiers.

Regards,

Xavier Garcia

2010/3/25 Crook, Parker <Parker_Crook at ...14786...<mailto:Parker_Crook at ...14511...786...>>



Xavi,



You can definitely use the (content:"POST"; http_method;) to alert only on POST data; however for the data normalization, I'm having a brain-fart right now... maybe somebody else knows, perhaps content:"<match_string>"; http_uri; pcre:"<more specific criteria>";



-Parker




  _____


From: Xavi Garcia [mailto:xavi.garcia at ...11827...<mailto:xavi.garcia at ...14540...27...>]
Sent: Thursday, March 25, 2010 2:27 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] HTTP preprocessor and POST data



Hi,

I am learning how HTTP Inspect works and also trying
to write some rules that use normalized data. I think that
all is explained in the documentation and you have done
a great job, but I have a doubt regarding the POST data.

I am sure that my question is too obvious, but I have tried
to find the right answer by myself without luck. :)

I see that the newer versions of Snort permit to normalize
data from the URI, headers, cookies and the body, but there
is nothing about the POST data. I have tried to use the
different modifiers for  "content" without luck.

I understand that POST data cannot be normalized, but
there is no mention in the documentation. Am I wrong?
In that case, which is the best practice when I want to
detect an attack that is using POST instead of GET?

Thank you very much for your help :)

Regards,

Xavier Garcia







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100326/140c7307/attachment.html>


More information about the Snort-users mailing list