Snort mailing list archives

Re: [Emerging-Sigs] issues with 2011033 - ET SCAN HTTP HEAD invalid method case

From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Mon, 31 Jan 2011 16:44:35 -0500

I have not seen or heard of this issue, that's generally a pretty solid sig.

How about trying the non http_* version? Just depth 5 instead of http_*

Matt


On Jan 31, 2011, at 4:37 PM, L0rd Ch0de1m0rt wrote:

Hello snorters.  I am seeing alerts from this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
HTTP HEAD invalid method case"; flow:established,to_server;
content:"head"; http_method; nocase; content:!"HEAD"; http_method;
classtype:bad-unknown;
reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
reference:url,doc.emergingthreats.net/2011033;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Invalid_Method;
sid:2011033; rev:7;)

But I go back and look at the logged packed by snort and only see this:

-----

08:53:54.207874 IP s.r.f.r.46691 > s.u.x.s.80: R
2457731972:2457733232(1260) ack 1077321784 win 32768
E...c........QQS...^M...P.~..@6.8P...lq.. 0px 5px 5px; border-right:
2px dotted #cbcbcb; color: #558800;}
#globalMiscContent {float: left; margin-top: 3px}
#globalSearch {float: left; width:225px; height: 35px; margin: 5px 0px
5px 10px; color: #558800 /*#568900*/}
#globalSearchContent {float: left; margin-top: 7px}

#pageBrandingLarge {float: left; width: 671px; height:205px;
background-color:#e2e2e2; border-top: 1px solid #ffffff;}
#pageBrandingSmall {float: left; width: 671px; height:33px;
background-color:#e2e2e2; border-top: 1px solid #ffffff;}
#pageLogin {float: left; width: 223px; height:239px;
background-color:#f2f2f2; border-top: 1px solid #ffffff;border-right:
1px solid #ffffff;}

#loginHeader {height: 28px; background-color: #88bb00; padding-top: 8px;}
.loginHeaderText {font-size: 16px; color: #fff; font-weight: bold;
margin-left: 15px;}

#loginContent { font-size: 12px; color: #444;  margin: 10px 15px;}
#loginContent a:link,#loginContent a:visited {color:#558800;
font-size: 11px; font-weight: normal;}
#loginContent a:hover,#loginContent a:active {color:#558800;
font-size: 11px; text-decoration: underline;}
.loginItem {background:url(img/arrowGray_Small.gif) no-repeat left;
text-indent: 7px; color:#558800; margin: 4px 0px 3px 0px; }

#pageBrandingTop {he

-----

I am on the latest snort version, 2.9.0.3 and I compiled w/ gzip
support and I have the http_inspect preprocessor enabled.  From
snort.conf:

-----
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: \
   server default \
   apache_whitespace no \
   ascii no \
   bare_byte no \
   chunk_length 500000 \
   flow_depth 1460 \
   directory no \
   double_decode no \
   iis_backslash no \
   iis_delimiter no \
   iis_unicode no \
   multi_slash no \
   non_strict \
   oversize_dir_length 500 \
   ports { 80 8080 8180 3128 } \
   u_encode yes \
   non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
   webroot no \
   server_flow_depth 0 \
   client_flow_depth 0 \
   post_depth 65495 \
   oversize_dir_length 500 \
   max_header_length 750 \
   max_headers 100 \
   enable_cookie \
   extended_response_inspection \
   inspect_gzip
-----

Looking at the snort rule, it looks sound but it appears the
appropriate HTTP buffers (e.g. http_method) are not getting populated
correctly.  Is this the case?  I know the HTTP preprocessor has had
some recent changes and has had *a lot* of issues in the past so I'm
curious if this is a known bug and being worked on.

I am copying the EmergingThreats list too in case others are having
problems and can help out.

Thanks.

-L0rd C.
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Current thread:

issues with 2011033 - ET SCAN HTTP HEAD invalid method case L0rd Ch0de1m0rt (Jan 31)
- Re: [Emerging-Sigs] issues with 2011033 - ET SCAN HTTP HEAD invalid method case Matthew Jonkman (Jan 31)