Re: HTTP Signature not triggering

[Will Metcalf <william.metcalf () gmail com>]

hmmm that pcre doesn't look quite right... Does the sig fire if you
remove it?  If it does Maybe try something like the following...

pcre:"/^Content-Length\x3a\s*[0-9]{7,}\r$/Hmi"

Regards,

Will

On Wed, Apr 14, 2010 at 4:20 PM, JOSH RIVEL, BLOOMBERG/ 731 LEXIN
<jrivel () bloomberg net> wrote:
> Hello, so I have the following signature looking for HTTP posts of size > 1mb to any machines $EXTERNAL_NET, but 
> despite my best efforts I can't get it to trigger.
> alert tcp $HOME_NET !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; 
> http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; 
> nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*[0-9]{7,}$/i"; msg:"HTTP POST over 
> 1mb - pcre only"; classtype:policy-violation; sid:1872316; gid:1; rev:1; )
>
> I uploaded a 2mb file to a website and the signature did not trigger.  Here are the snippets from tcpdump output on 
> the sensor of the file being uploaded.
>
> POST /test/upload.php HTTP/1.1
> Host: xx
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Referer: http://xx/xx
> Content-Type: multipart/form-data; boundary=---------------------------1588529377280840353328422082
> Content-Length: 2097381
> Connection: Keep-Alive
> -----------------------------1588529377280840353328422082
> Content-Disposition: form-data; name="uploaded"; filename="2mb"
> Content-Type: application/octet-stream
>
> That signature does not trigger, however this one does (which has bad PCRE in it to detect file sizes of > 1mb)  I 
> also tried using stream_size:client,>=,1048576 in the signature with no luck.
> (So here's the bad signature but it does trigger)
> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; 
> content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:"multipart/"; nocase; 
> content:"Content-Length\:"; nocase; http_header; pcre:"/^Content- Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; 
> msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:15; )
>
> Any thoughts? I'm wracking my brains trying to sort this one out...
> Thanks, Josh
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs