Snort mailing list archives

Re: Looking for HTTP POST's over 1mb in size

From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Thu, 8 Apr 2010 22:16:37 -0500

Well, according to the manual at least, we (someone) pointed it out as a
bug in the manual. I can't remember the thread.

-evilghost

Matt Olney wrote:

Nope:

Alerts:
1:33335:0 Content with colon Alerts: 2
1:33336:0 Content with |3A| Alerts: 2



2010/4/8 evilghost () packetmail net <mailto:evilghost () packetmail net>
<evilghost () packetmail net <mailto:evilghost () packetmail net>>

    Colon doesn't need to be escaped in a PCRE, even in a Snort PCRE. It
    does in a content match. :)

    -evilghost

    Matt Olney wrote:
    > Actually (don't ask me why)...they both work:
    >
    > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with
    > colon"; pcre:"/User-Agent:/H"; classtype: attempted-admin; sid:
    33333;)
    > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with
    > colon escaped"; pcre:"/User-Agent\:/H"; classtype: attempted-admin;
    > sid: 33334;)
    >
    > Alerts:
    > 1:33333:0 PCRE with colon Alerts: 2
    > 1:33334:0 PCRE with colon escaped Alerts: 2
    >
    > [HTTP_HEADER BUFFER DATA (0x8ac90a0)]:
    > 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65 User-Agent: CBNe
    > 74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20 tDataSet..Host:
    > 73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69 segment.pw08.ici
    > 62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f ba.com..Cache-Co
    > 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32 ntrol: max-age=2
    > 35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20 59200..Via: 1.0
    > 50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f PROXY..Connectio
    > 6e 3a 20 63 6c 6f 73 65 0d 0a 0d n: close...
    >
    > Matt
    > (Who has been stupid busy, but is still listening)
    >
    > 2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com
    <mailto:l0rdch0de1m0rt () gmail com>
    > <mailto:l0rdch0de1m0rt () gmail com <mailto:l0rdch0de1m0rt () gmail com>>>
    >
    > I disagree. Unless snort is not PCRE compatible (which it seems they
    > should be based on the acronym), you don't have to escape the
    colon in
    > this context for a pcre check.
    >
    > Cheers,
    >
    > -L0rd Ch0de1m0rt
    >
    > On Thu, Apr 8, 2010 at 7:46 PM, 김무성 <kimms () infosec co kr
    <mailto:kimms () infosec co kr>
    > <mailto:kimms () infosec co kr <mailto:kimms () infosec co kr>>> wrote:
    > > Missed escape : \
    > >
    > > You have to write this
    > >
    > > pcre:"/^Content-Length\:\s*[0-9]{7,}$/i";
    > > or
    > > pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i";
    > >
    > > -----Original Message-----
    > > From: evilghost () packetmail net
    <mailto:evilghost () packetmail net> <mailto:evilghost () packetmail net
    <mailto:evilghost () packetmail net>>
    > [mailto:evilghost () packetmail net
    <mailto:evilghost () packetmail net> <mailto:evilghost () packetmail net
    <mailto:evilghost () packetmail net>>]
    > > Sent: Friday, April 09, 2010 2:01 AM
    > > To: JOSH RIVEL, BLOOMBERG/ 731 LEXIN
    > > Cc: SNORT-SIGS () LISTS SOURCEFORGE NET
    <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET>
    > <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET
    <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET>>
    > > Subject: Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size
    > >
    > > Glad to help Josh, also drop the '/s', I meant to write the
    PCRE as:
    > >
    > > pcre:"/^Content-Length:\s*[0-9]{7,}$/i";
    > >
    > >
    > > -evilghost
    > >
    > > JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
    > >> evilghost-
    > >> Yeah my PCRE skills are pretty weak. I'll try your change and
    > let you know how it works out (I also change the source from "any"
    > to $HOME_NET as well)
    > >> Thanks!!
    > >> Josh
    > >>
    > >> ----- Original Message -----
    > >> From: Evilghost () Packetmail Net <evilghost () packetmail net
    <mailto:evilghost () packetmail net>
    > <mailto:evilghost () packetmail net <mailto:evilghost () packetmail net>>>
    > >> To: JOSH RIVEL (BLOOMBERG/ 731 LEXIN)
    > >> Cc: SNORT-SIGS () LISTS SOURCEFORGE NET
    <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET>
    > <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET
    <mailto:SNORT-SIGS () LISTS SOURCEFORGE NET>>
    > >> At: 4/08 12:49:17
    > >>
    > >> Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR
    > match since
    > >> it'll match on on 101, 102, 103, etc?
    > >>
    > >> What about:
    > >>
    > >> pcre:"/^Content-Length:\s*[0-9]{7,}$/si";
    > >>
    > >> It'll still match against 1,000,000 bytes which is close enough
    > to 1Mb for me. Also, note sure why you need the other PCRE flags.
    > >>
    > >> -evilghost
    > >>
    > >>
    > >>
    > >>
    > >> JOSH RIVEL, BLOOMBERG/ 731 LEXIN wrote:
    > >>
    > >>> So I wrote a signature to detect HTTP POST's over 1mb in size,
    > but I think that my pcre logic is flawed. Can someone take a look
    > and let me know if this is OK? (It does work, but will trigger on
    > file sizes < 1mb based on the Content-Length: header)
    > >>> (We have some stuff in there to ignore posts to certain sites
    > due to too many false positives)
    > >>> The rule is:
    > >>> alert tcp any !20 -> $EXTERNAL_NET !25
    > (flow:established,to_server; priority:1; content:"POST"; nocase;
    > http_method; content:!"Shockwave"; nocase; http_header;
    > content:!"x-flash-version"; nocase; content:!"Host\: live.com
    <http://live.com>
    > <http://live.com>"; nocase; http_header; content:!"Host\:
    > mail.google.com <http://mail.google.com>
    <http://mail.google.com>"; nocase; http_header;
    > content:!"Host\: mail.yahoo.com <http://mail.yahoo.com>
    <http://mail.yahoo.com>"; nocase;
    > content:!"Host\: webmail.aol.com <http://webmail.aol.com>
    <http://webmail.aol.com>";
    > nocase; http_header; content:!"Host\: webmail.juno.com
    <http://webmail.juno.com>
    > <http://webmail.juno.com>"; nocase; http_header; content:!"Host\:
    > webmailb.juno.com <http://webmailb.juno.com>
    <http://webmailb.juno.com>"; nocase;
    > http_header; content:"multipart/"; nocase;
    > content:"Content-Length\:"; nocase; http_header;
    > pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix";
    > pcre:!"/^Host:\s.*[\.live.com <http://live.com>
    <http://live.com>]$/smi";
    > msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060;
    > gid:1; rev:4; )
    > >>>
    >
    ------------------------------------------------------------------------------
    > >>> Download Intel&#174; Parallel Studio Eval
    > >>> Try the new software tools for yourself. Speed compiling, find
    > bugs
    > >>> proactively, and fine-tune applications for parallel
    performance.
    > >>> See why Intel Parallel Studio got high marks during beta.
    > >>> http://p.sf.net/sfu/intel-sw-dev
    > >>> _______________________________________________
    > >>> Snort-sigs mailing list
    > >>> Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>
    > <mailto:Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>>
    > >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
    > >>>
    > >>>
    > >> >
    > >
    > >
    >
    ------------------------------------------------------------------------------
    > > Download Intel&#174; Parallel Studio Eval
    > > Try the new software tools for yourself. Speed compiling, find
    bugs
    > > proactively, and fine-tune applications for parallel performance.
    > > See why Intel Parallel Studio got high marks during beta.
    > > http://p.sf.net/sfu/intel-sw-dev
    > > _______________________________________________
    > > Snort-sigs mailing list
    > > Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>
    > <mailto:Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>>
    > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
    > >
    > >
    >
    ------------------------------------------------------------------------------
    > > Download Intel&#174; Parallel Studio Eval
    > > Try the new software tools for yourself. Speed compiling, find
    bugs
    > > proactively, and fine-tune applications for parallel performance.
    > > See why Intel Parallel Studio got high marks during beta.
    > > http://p.sf.net/sfu/intel-sw-dev
    > > _______________________________________________
    > > Snort-sigs mailing list
    > > Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>
    > <mailto:Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>>
    > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
    > >
    >
    >
    ------------------------------------------------------------------------------
    > Download Intel&#174; Parallel Studio Eval
    > Try the new software tools for yourself. Speed compiling, find bugs
    > proactively, and fine-tune applications for parallel performance.
    > See why Intel Parallel Studio got high marks during beta.
    > http://p.sf.net/sfu/intel-sw-dev
    > _______________________________________________
    > Snort-sigs mailing list
    > Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>
    > <mailto:Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>>
    > https://lists.sourceforge.net/lists/listinfo/snort-sigs
    >
    >
    >
    ------------------------------------------------------------------------
    >
    >
    ------------------------------------------------------------------------------
    > Download Intel&#174; Parallel Studio Eval
    > Try the new software tools for yourself. Speed compiling, find bugs
    > proactively, and fine-tune applications for parallel performance.
    > See why Intel Parallel Studio got high marks during beta.
    > http://p.sf.net/sfu/intel-sw-dev
    >
    ------------------------------------------------------------------------
    >
    > _______________________________________________
    > Snort-sigs mailing list
    > Snort-sigs () lists sourceforge net
    <mailto:Snort-sigs () lists sourceforge net>
    > https://lists.sourceforge.net/lists/listinfo/snort-sigs
    >


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
  - Re: Looking for HTTP POST's over 1mb in size 김무성 (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size Alex Kirk (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
    - Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 09)