[Snort-users] http_cookie containing the Set-Cookie/Cookie HTTP header element

Joel Esler jesler at ...1935...
Tue Aug 23 13:25:09 EDT 2011


Fixed in 2.9.1. 

--
Joel Esler 
On the phone

On Aug 23, 2011, at 12:52, Eoin Miller <eoin.miller at ...14586...> wrote:

> I wrote a while back about how there was a difference in Snort 2.8.6.x
> vs 2.9.x and the http_cookie buffer did not include the "Cookie:|20|"
> or "Set-Cookie:|20|" strings in the buffer in the older version but
> does now. Well, this new behavior is causing some issues for us with
> signature writing.
> 
> The issue lies in being able to check if a cookie does not exist as
> part of a check for a signature. So if we have something like this we
> need to sig on:
> 
> HTTP /standardLookingURI.php HTTP/1.1
> Host: driveby.co.au.com
> Referrer: redirection.co.au.com
> 
> I could have written something like this to work in Snort 2.8.6.x:
> 
> alert tcp any any -> any any (msg:"Imposter URI with no cookie";
> content:"/standardLookingURI.php"; http_uri; content:!"Cookie: ";
> http_header; sid:1;)
> 
> But now since the string and the HTTP header element is in the
> http_cookie buffer in 2.9.x, I can't do that. So I tried things like:
> 
> alert tcp any any -> any any (msg:"Imposter URI with no cookie";
> content:"/standardLookingURI.php"; http_uri; content:!"Cookie: ";
> http_cookie; sid:1;)
> 
> But the issue is that when there isn't an http_cookie buffer being
> created, I can't see a way to test if it isn't there. And I can't test
> for its absence in http_header as if http_cookie is present, then it
> is no longer part of http_header. Outside of disabling the
> enable_cookie option in the config for the http_inspect preprocessor,
> is there some other way to achieve the desired outcome?
> 
> -- Eoin
> 
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
> user administration capabilities and model configuration. Take 
> the hassle out of deploying and managing Subversion and the 
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list