[Snort-users] http_cookie containing the Set-Cookie/Cookie HTTP header element

Eoin Miller eoin.miller at ...14586...
Tue Aug 23 12:52:30 EDT 2011


I wrote a while back about how there was a difference in Snort 2.8.6.x
vs 2.9.x and the http_cookie buffer did not include the "Cookie:|20|"
or "Set-Cookie:|20|" strings in the buffer in the older version but
does now. Well, this new behavior is causing some issues for us with
signature writing.

The issue lies in being able to check if a cookie does not exist as
part of a check for a signature. So if we have something like this we
need to sig on:

HTTP /standardLookingURI.php HTTP/1.1
Host: driveby.co.au.com
Referrer: redirection.co.au.com

I could have written something like this to work in Snort 2.8.6.x:

alert tcp any any -> any any (msg:"Imposter URI with no cookie";
content:"/standardLookingURI.php"; http_uri; content:!"Cookie: ";
http_header; sid:1;)

But now since the string and the HTTP header element is in the
http_cookie buffer in 2.9.x, I can't do that. So I tried things like:

alert tcp any any -> any any (msg:"Imposter URI with no cookie";
content:"/standardLookingURI.php"; http_uri; content:!"Cookie: ";
http_cookie; sid:1;)

But the issue is that when there isn't an http_cookie buffer being
created, I can't see a way to test if it isn't there. And I can't test
for its absence in http_header as if http_cookie is present, then it
is no longer part of http_header. Outside of disabling the
enable_cookie option in the config for the http_inspect preprocessor,
is there some other way to achieve the desired outcome?

-- Eoin




More information about the Snort-users mailing list