Hi,<br><br>I am using the following rule to test a local file inclusion.<br><br>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local file inclusion POST"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/index.php"; nocase; content:"include=.."; nocase;  classtype:web-application-attack;  sid:20000000; rev:1;)<br>
<br>that catches the following attack:<br><br>curl  -d "include=../../../../../../../../../../../../../../../../../../../../../etc/passwd%00" "<a href="http://192.168.178.29/index.php">http://192.168.178.29/index.php</a>"<br>
<br>But fails when I encode the data in Hex.<br><br>curl  -d "include=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd%00" "<a href="http://192.168.178.29/index.php">http://192.168.178.29/index.php</a>"<br>
<br>I have checked the Changelog and the POST data should be<br>normalized, but I cannot find how to match against this normalized data.<br><br>007-04-27 Steven Sturges <<a href="mailto:ssturges@...1935...">ssturges@...391...935...</a>>                                                                                                          <br>
Update to normalize the body of a client request to allow                                                                                                    <br>rules to check specifically for parameters of a POST or GET request. <br>
Also add stats that are part of the hourly stats that track                                                                                                  <br>various HTTP encodings and normalizations that have occurred.<br>
<br><br>Perhaps the preprocessor is misconfigured ...<br><br>preprocessor http_inspect: global \<br>    iis_unicode_map unicode.map 1252<br><br>preprocessor http_inspect_server: \<br>    server default profile apache \<br>
    client_flow_depth 1460 \<br>    ports { 80  }  \<br>    normalize_headers \<br>    normalize_cookies \<br>    post_depth 65495<br><br><br>Regards,<br><br>Xavier Garcia<br><br><div class="gmail_quote">2010/3/25 Xavi Garcia <span dir="ltr"><<a href="mailto:xavi.garcia@...11827...">xavi.garcia@...11827...</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,<br><br>Thank you for your fast answer.<br><br>As far I understand, http_uri  works like uricontent.<br>
It is useful to fix the the resource being requested<br>but then we have to match against the data. I have<br>only been able to do so when I use "content"<br>
without modifiers.<br><br>Regards,<br><br>Xavier Garcia <br><br><div class="gmail_quote">2010/3/25 Crook, Parker <span dir="ltr"><<a href="mailto:Parker_Crook@...14786..." target="_blank">Parker_Crook@...14786...</a>></span><div>
<div></div><div class="h5"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">






<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><font face="Arial" size="2" color="navy"><span style="font-size: 10pt; font-family: Arial; color: navy;">Xavi,</span></font></p>
<p class="MsoNormal"><font face="Arial" size="2" color="navy"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p class="MsoNormal"><font face="Arial" size="2" color="navy"><span style="font-size: 10pt; font-family: Arial; color: navy;">You can definitely use the (content:”POST”; http_method;) to alert only on POST data; however for the data normalization, I’m having
 a brain-fart right now… maybe somebody else knows, perhaps content:”<match_string>”; http_uri; pcre:”<more specific criteria>”;</span></font></p>
<p class="MsoNormal"><font face="Arial" size="2" color="navy"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p class="MsoNormal"><font face="Arial" size="2" color="navy"><span style="font-size: 10pt; font-family: Arial; color: navy;">-Parker</span></font></p>
<p class="MsoNormal"><font face="Arial" size="2" color="navy"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<div>
<div class="MsoNormal" style="text-align: center;" align="center"><font face="Times New Roman" size="3"><span style="font-size: 12pt;">
<hr size="2" width="100%" align="center">
</span></font></div>
<p class="MsoNormal"><b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma;"> Xavi Garcia [mailto:<a href="mailto:xavi.garcia@...13610...7..." target="_blank">xavi.garcia@...11827...</a>]
<br>
<b><span style="font-weight: bold;">Sent:</span></b> Thursday, March 25, 2010 2:27 PM<br>
<b><span style="font-weight: bold;">To:</span></b> <a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@...2987...rge.net</a><br>
<b><span style="font-weight: bold;">Subject:</span></b> [Snort-users] HTTP preprocessor and POST data</span></font></p>
</div><div><div></div><div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span style="font-size: 12pt;"> </span></font></p>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span style="font-size: 12pt;">Hi,<br>
<br>
I am learning how HTTP Inspect works and also trying<br>
to write some rules that use normalized data. I think that<br>
all is explained in the documentation and you have done<br>
a great job, but I have a doubt regarding the POST data.  <br>
<br>
I am sure that my question is too obvious, but I have tried<br>
to find the right answer by myself without luck. :) <br>
<br>
I see that the newer versions of Snort permit to normalize<br>
data from the URI, headers, cookies and the body, but there<br>
is nothing about the POST data. I have tried to use the<br>
different modifiers for  "content" without luck.<br>
<br>
I understand that POST data cannot be normalized, but<br>
there is no mention in the documentation. Am I wrong?<br>
In that case, which is the best practice when I want to<br>
detect an attack that is using POST instead of GET?<br>
<br>
Thank you very much for your help :)<br>
<br>
Regards,<br>
<br>
Xavier Garcia</span></font></p>
</div></div></div>
</div>

</blockquote></div></div></div><br>
</blockquote></div><br>