Snort mailing list archives

Re: Looking for HTTP POST's over 1mb in size

From: David.R.Wharton () regions com
Date: Thu, 8 Apr 2010 11:51:35 -0500

1 MB == 10489576 bytes so try this:

/^Content-Length:\s*[1-9]([0-9]{5}[7-9]|[0-9]{7,})/i

-David



From:
"JOSH RIVEL, BLOOMBERG/ 731 LEXIN" <jrivel () bloomberg net>
To:
SNORT-SIGS () LISTS SOURCEFORGE NET
Date:
04/08/2010 11:39 AM
Subject:
[Snort-sigs] Looking for HTTP POST's over 1mb in size



So I wrote a signature to detect HTTP POST's over 1mb in size, but I think 
that my pcre logic is flawed.  Can someone take a look and let me know if 
this is OK?  (It does work, but will trigger on file sizes < 1mb based on 
the Content-Length: header)
(We have some stuff in there to ignore posts to certain sites due to too 
many false positives)
The rule is:
alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; 
priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; 
nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: 
live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase; 
http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\: 
webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com"; 
nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase; 
http_header; content:"multipart/"; nocase; content:"Content-Length\:"; 
nocase; http_header; 
pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; 
pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr"; 
classtype:policy-violation; sid:1000060; gid:1; rev:4; )
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Looking for HTTP POST's over 1mb in size JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Rodrigo Montoro(Sp0oKeR) (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size David . R . Wharton (Apr 08)