Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Double Content-Length headers causes matching string inside http_client_body to fail (http_inspect preprocessor)

From: rmkml <rmkml () yahoo fr>
Date: Thu, 19 Jun 2014 22:57:24 +0200 (CEST)
Hi Pablo and Hui,

Yes last snort v2.9.6.1 not fire, but another "internal" http preproc fire in my test:

06/19-22:51:51.934663  [**] [119:21:1] (http_inspect) MULTIPLE CONTENT LENGTH [**] [Classification: Unknown Traffic] 
[Priority: 3] {TCP} 192.168.1.202:45985 -> 192.168.1.201:80

Regards
@Rmkml


On Thu, 19 Jun 2014, Hui cao wrote:


Hi Pablo,

Thanks for reporting this issue. Have you tried 2.9.6 ?

Best,
Hui.
On 06/19/2014 09:50 AM, Pablo Artuso wrote:
      Hello,

      I'm experiencing an issue when http_inspect preprocessor handles an HTTP packet with two identical Content-Length 
headers present.
      When two identical headers (with the same value) are present, the rule trying to match a string inside 
http_client_body fails. The only header that triggers this condition is Content-Length.

      This could be a mechanism to evade HTTP signatures based on http_inspect preprocessor.

      OS: Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
      Snort Package: snort (2.9.2.2-3)
      Preprocessors enabled: stream5, http_inspect
      (Find below a snort.conf can be used for testing purposes)

      Steps to reproduce the bug (python+scapy):

      1. Install Scapy (http://www.secdev.org/projects/scapy/)
      2. Install Snort version 2.9.2 (I'm using the apt-get from Debian repositories)
      3. Install the supplied snort.conf enabling http_inspect and stream5 preprocessors
      4. Start Scapy and try the examples below.

      Best regards,

      Pablo


      --- Example 1: HTTP POST packet with double Content-Length ---

      DST_SERVER = 'xxx.xxx.xxx.xxx' # Complete!

      httpheaderN =  'POST / HTTP/1.1\r\nHost: '+ DST_SERVER +'\r\nUser-Agent: Wget/1.13.4 (linux-gnu)\r\nContent-Length: 
86\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 86\r\n\r\n'

      httpbodyN = "Nobody can go back and start a new beginning, but anyone can start today a new ending."
         

      pDouble = IP(dst=DST_SERVER) / TCP(dport=80)  / (httpheaderN+httpbodyN)

      send(pDouble) # should trigger both rules! Fails to match http_client_body rule

      --- End Example 1 ---

      --- Example 2 ---
      DST_SERVER = 'xxx.xxx.xxx.xxx' # Complete!

      httpheaderD =  'POST / HTTP/1.1\r\nHost: '+ DST_SERVER +'\r\nUser-Agent: Wget/1.13.4 (linux-gnu)\r\nContent-Type: 
text/plain; charset=utf-8\r\nContent-Length: 86\r\n\r\n'

      httpbodyD = "Nobody can go back and start a new beginning, but anyone can start today a new ending."

      pNormal = IP(dst= DST_SERVER) / TCP(dport=80)  / (httpheaderD+httpbodyD)

      send(pNormal) # Should trigger both rules! OK

      --- End Example 2 ---


      --- used snort.conf ---
      output unified2: filename snort_unified2.out, limit 128
      output alert_fast

      preprocessor stream5_global: \
        track_tcp yes \
        track_udp yes
      preprocessor stream5_tcp: \
        policy bsd, \
        timeout 86400, \
        ports all
      preprocessor stream5_udp: \
        timeout 86400

      preprocessor http_inspect: \
        global \
        iis_unicode_map unicode.map 1252

      preprocessor http_inspect_server: \
        server default \
        profile all \
        client_flow_depth 0 \
        server_flow_depth 0 \
        post_depth 0 \
        extended_response_inspection \
        ports { 80 } http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE 
LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND
      PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA 
RPC_ECHO_DATA }


      var DST_SERVER xxx.xxx.xxx.xxx # Complete!! and erase this comment!

      alert tcp any any -> $DST_SERVER 80 (  flow: to_server; content: "Nobody"; nocase; \
      http_client_body;  content: "Beginning"; nocase; http_client_body;  msg: "Rule with http_client_body ";  \
      sid: 2;)

      alert tcp any any -> $DST_SERVER 80 (  flow: to_server; content: "Nobody"; nocase; \ 
      content: "Beginning"; nocase; msg: "Rule without http_client_body ";  sid: 1)
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: