Home page logo

snort logo Snort mailing list archives

Re: IPS packet reject handling doesn't work as expected
From: Jamie Riden <jamie.riden () gmail com>
Date: Sat, 26 Jan 2013 22:54:07 +0000

As an aside, I think this (and similar sigs) should be extended to
cover the data: URI case, e.g.

I've tested data: URIs as file include targets and they seem to work
ok if you have the appropriate allow_url_ setting.

cf: http://www.idontplaydarts.com/2011/03/php-remote-file-inclusion-command-shell-using-data-stream/


On 25 January 2013 18:00, Lukas Matt <lukas.matt () sophos com> wrote:
Hello @all,

I have following setup:

DNAT rule to make an internal webserver reachable by using the external IP

command from client to server:
curl -v -s 'http://[hostname]/rss.php?pathToFiles=https&apos;

triggered rule:
2931/finished_pullpork_rules/plain.rules:alert tcp $EXTERNAL_NET any ->
$HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP miniBB rss.php pathToFiles remote
file include attempt"; flow:to_server,established; content:"rss.php";
nocase; http_uri; content:"pathToFiles="; nocase; http_uri;
pcre:"/pathToFiles=(ftp|https?)/Ui"; metadata:policy security-ips drop,
service http; reference:url,osvdb.org/show/osvdb/51460;
classtype:web-application-attack; sid:18479; rev:7;)

So from my view the incoming GET request from my IP should be rejected (or
maybe dropped).
But in the tcpdump I can see that this GET request routed to the internal

It worked fine after I removed the perl regex from the rule and the
content-modifier http_uri.

What exactly  could be wrong with the regex/modifier?

Lukas Matt

Jamie Riden / jamie () honeynet org / jamie.riden () gmail com

Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]