| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] HTTP preprocessor and POST data
From: Xavi Garcia <xavi.garcia_at_nospam>Date: Fri Mar 26 2010 - 18:15:49 GMT
To: "Crook, Parker" <Parker_Crook@reyrey.com>
Parker,
I have tried with http_uri and uricontent but there is not alert.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local
file inclusion POST"; flow:to_server,established;content:"POST"; nocase;
http_method; uricontent:"/index.php"; nocase; uricontent:"include"; nocase;
classtype:web-application-attack; sid:20000001; rev:1;)
This are the statistics after executing snort:
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 2
GET methods: 0
Headers extracted: 2
Header Cookies extracted: 0
Post parameters extracted: 2
Unicode: 0
Double unicode: 0
Non-ASCII representable: 0
Base 36: 0
Directory traversals: 26
Extra slashes ("//"): 0
Self-referencing paths ("./"): 26
Total packets processed: 10
Is see " Post parameters extracted: 2". Perhaps it is related.
Regards,
Xavier Garcia
2010/3/26 Crook, Parker <Parker_Crook@reyrey.com>
> Xavi,
>
>
>
> You might want to change the content:”include=..”; to either
>
> content:”include=..”; http_uri;
>
> OR
>
> uricontent:”include=..”;
>
>
>
> As it is currently, you’re not normalizing that string.
>
>
>
> -Parker
> ------------------------------
>
> *From:* Xavi Garcia [mailto:xavi.garcia@gmail.com]
> *Sent:* Friday, March 26, 2010 1:27 PM
>
> *To:* snort-users@lists.sourceforge.net
> *Subject:* Re: [Snort-users] HTTP preprocessor and POST data
>
>
>
> Hi,
>
> I am using the following rule to test a local file inclusion.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST - local
> file inclusion POST"; flow:to_server,established;content:"POST"; nocase;
> http_method; uricontent:"/index.php"; nocase; content:"include=.."; nocase;
> classtype:web-application-attack; sid:20000000; rev:1;)
>
> that catches the following attack:
>
> curl -d
> "include=../../../../../../../../../../../../../../../../../../../../../etc/passwd%00"
> "http://192.168.178.29/index.php"
>
> But fails when I encode the data in Hex.
>
> curl -d
> "include=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd%00"
> "http://192.168.178.29/index.php"
>
> I have checked the Changelog and the POST data should be
> normalized, but I cannot find how to match against this normalized data.
>
> 007-04-27 Steven Sturges <ssturges@sourcefire.com>
>
> Update to normalize the body of a client request to
> allow
>
> rules to check specifically for parameters of a POST or GET request.
> Also add stats that are part of the hourly stats that
> track
>
> various HTTP encodings and normalizations that have occurred.
>
>
> Perhaps the preprocessor is misconfigured ...
>
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: \
> server default profile apache \
> client_flow_depth 1460 \
> ports { 80 } \
> normalize_headers \
> normalize_cookies \
> post_depth 65495
>
>
> Regards,
>
> Xavier Garcia
>
> 2010/3/25 Xavi Garcia <xavi.garcia@gmail.com>
>
> Hi,
>
> Thank you for your fast answer.
>
> As far I understand, http_uri works like uricontent.
> It is useful to fix the the resource being requested
> but then we have to match against the data. I have
> only been able to do so when I use "content"
> without modifiers.
>
> Regards,
>
> Xavier Garcia
>
> 2010/3/25 Crook, Parker <Parker_Crook@reyrey.com>
>
>
>
> Xavi,
>
>
>
> You can definitely use the (content:”POST”; http_method;) to alert only on
> POST data; however for the data normalization, I’m having a brain-fart right
> now… maybe somebody else knows, perhaps content:”<match_string>”; http_uri;
> pcre:”<more specific criteria>”;
>
>
>
> -Parker
>
>
> ------------------------------
>
> *From:* Xavi Garcia [mailto:xavi.garcia@gmail.com]
> *Sent:* Thursday, March 25, 2010 2:27 PM
> *To:* snort-users@lists.sourceforge.net
> *Subject:* [Snort-users] HTTP preprocessor and POST data
>
>
>
> Hi,
>
> I am learning how HTTP Inspect works and also trying
> to write some rules that use normalized data. I think that
> all is explained in the documentation and you have done
> a great job, but I have a doubt regarding the POST data.
>
> I am sure that my question is too obvious, but I have tried
> to find the right answer by myself without luck. :)
>
> I see that the newer versions of Snort permit to normalize
> data from the URI, headers, cookies and the body, but there
> is nothing about the POST data. I have tried to use the
> different modifiers for "content" without luck.
>
> I understand that POST data cannot be normalized, but
> there is no mention in the documentation. Am I wrong?
> In that case, which is the best practice when I want to
> detect an attack that is using POST instead of GET?
>
> Thank you very much for your help :)
>
> Regards,
>
> Xavier Garcia
>
>
>
>
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users