[Snort-users] Snort: http_preprocessor issues on HTTP file uploads

Cees celzinga at ...11827...
Tue Apr 26 08:43:33 EDT 2011


Hello list,

I'm getting a lot of false positives on rules using the http_method keyword.
It looks like there is a bug in the http_preprocessor parsing HTTP file
uploads. These file uploads are often fragmented, and the http_preprocessor
appears to parse each fragment as a seperate request.

Tested on Snort 2.8.6.1 and 2.9.0.4.

Can someone confirm the issue?

Attached is the PCAP of a sample file upload. The file is split over
multiple TCP packets. One of the packages starts with the string "smod",
another one with "s faucibus". I created two Snort rules, one checking for
"smod" as the http_method, and one checking for "faucibus" as the http_uri.
Both trigger on the upload:

------
POST /cgi-bin/run/~jkorpela/echo.cgi HTTP/1.1
Host: www.cs.tut.fi

[..]

Content-Disposition: form-data; name="datafile"; filename="a"
Content-Type: application/octet-stream

Lorem ipsum dolor sit amet [..] smod a sagittis vel, hendrerit ac velit.
[..] s faucibus [..]
------

snort.conf:
------
include classification.config
var HOME_NET [130.230.4.103/32]
var EXTERNAL_NET ![$HOME_NET]
portvar HTTP_PORTS [80]
output alert_fast: fast_alert
output unified2: filename snort.u2, limit 128

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"smod
http_method"; flow:established,to_server; content:"smod"; http_method;
classtype:bad-unknown; sid:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"faucibus
http_uri"; flow:established,to_server; content:"faucibus"; http_uri;
classtype:bad-unknown; sid:2;)

preprocessor stream5_global: track_tcp yes, \
    max_tcp 512000, \
    memcap 8388608, \
    track_udp no, \
    track_icmp no
preprocessor stream5_tcp: policy bsd, ports both 443 465 563 636 989 992 993
994 995 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
8080

preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
    profile all \
    ports { 80 } \
    no_alerts \
    oversize_dir_length 500 \
    server_flow_depth 0 \
    client_flow_depth 0

------

$ snort -r http_file_upload.pcap -c snort.conf -l log/ -k none -A console
Using PCAP_FRAMES = 32768
04/26-11:53:06.039129  [**] [1:1:0] smod http_method [**] [Classification:
Potentially Bad Traffic] [Priority: 3] {TCP} 10.0.3.156:45269 ->
130.230.4.103:80
04/26-11:53:06.081095  [**] [1:2:0] faucibus http_uri [**] [Classification:
Potentially Bad Traffic] [Priority: 3] {TCP} 10.0.3.156:45269 ->
130.230.4.103:80

-
Cees
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110426/51e8b4fc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http_file_upload.pcap
Type: application/force-download
Size: 9479 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110426/51e8b4fc/attachment.bin>


More information about the Snort-users mailing list