Snort mailing list archives
uricontent option in 1.9 vs 1.8.6
From: David Gordon <dgordon () mmwec org>
Date: Tue, 25 Feb 2003 13:22:12 -0500
Can someone please explain to me why the rule for sid 1242 acts differently
in
snort 1.8.6 vs. snort 1.9?
The following rule was used in snort 1.8.6:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI
.ida access"; uricontent:".ida"; nocase; flags:A+;
reference:arachnids,552; classtype:web-application-activity; reference:cve,
CAN-2000-0071; sid:1242; rev:2;)
This is the corresponding rule in snort 1.9:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI
.ida access"; uricontent:".ida"; nocase; flow:to_server,established;
reference:arachnids,552; classtype:web-application-activity; reference:cve,
CAN-2000-0071; reference:bugtraq,1065; sid:1242; rev:6;)
The following packet generates an alert when running Snort 1.8.6, but not
Snort 1.9
02/16-02:18:38.582833 217.234.56.78:3306 -> 123.456.78.90:80
TCP TTL:112 TOS:0x0 ID:43759 IpLen:20 DgmLen:1492 DF
***AP*** Seq: 0xAEAD8723 Ack: 0xB2DB3D32 Win: 0x4410 TcpLen: 20
/default.ida?N
If the 1.9 rule is modifed as follows (changing uricontent to content and
removing the "flow" option) it
generates an alert in snort 1.9.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI
.ida access"; content:".ida"; nocase; reference:arachnids,552;
classtype:web-application-activity; reference:cve,CAN-2000-0071;
reference:bugtraq,1065; sid:1242; rev:6;)
I know that http_decode must be running for the uricontent option to work. I
believe that the following portion of output when I run snort 1.9 indicates
that http_decode is running:
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
Any help would be much appreciated. I'm worried that since I upgraded to
Snort 1.9 this is affecting how other rules are processed as well.
Perhaps what I need to understand is what the URI portion of a request is
and how Snort finds it, so any direction you can give me there would be
appreciated as well.
Thanks.
-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 25)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)
- Advice from the experts Mike Koponick (Feb 25)
- Re: Advice from the experts twig les (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- Advice from the experts Mike Koponick (Feb 25)
- <Possible follow-ups>
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)