Home page logo

snort logo Snort mailing list archives

Re: Snort Now Available
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Mon, 08 Nov 2010 16:57:18 +0000

On 11/8/2010 4:45 PM, L0rd Ch0de1m0rt wrote:

I am still experiencing HTTP stream reassembly issues when trying to
match across multiple fragmented packets with snort

Specifically, this happens on a HTTP POST where the headers are in a
different packet than the POST data. Consider the following rule you
can use along with scapy to reproduce if you want:

alert tcp any any ->  $HOME_NET $HTTP_PORTS (msg:"Incoming German POST
to Batman"; flow:established,to_server; content:"POST"; http_method;
uricontent:"/batcave/"; uricontent:"unicorns4sourcefire"; content:"|0d
0a|Accept-Language: de"; nocase; http_header; content:!"|0d 0a 0d
0a|not4batman=true&"; content:!"\; batsecret=sesstoken4robin";
http_cookie; classtype:trojan-activity; sid:8008135; rev:17;)

It alerts (b/c all the URI and HTTP header stuffs match in the initial
packet) but it shouldn't alert b/c the HTTP POST data starts with
'not4batman=true&' (but the POST data is in a subsequent packet than
the one containing the headers).

Anyone else still having issues or have done more in-depth testing
with and the HTTP pre-processor?

-L0rd C.

It was reported a while back by myself directly to SourceFire in late 
August. I provided some PCAP's a few times and I am pretty sure they are 
aware of the issue and are working to resolve it. They have fixed tons 
of other stuff that really helps everyone out and I'm sure a fix for 
this will surface into the publicly released source eventually. It 
appears that the buffers created by the http_inspect preprocessor only 
work at frame level instead of at the stream level. I finally put up a 
blog post about it in late September here:


This is especially bad if you are using rules to block access to certain 
domain names in the http_header buffer when the http_uri is very long 
and the client is using MSIE as that puts the Host header entry at the 
bottom of the http_header. Requests like this are very likely to exceed 
the standard size MTU and get split across multiple frames. There should 
be some chatter on the Snort lists from myself and some of the 
dev/support guys recently as well.

-- Eoin

The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
Snort-devel mailing list
Snort-devel () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]