Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [snort preprocessor]http_inspect cannot identify urlencoded content

From: Maxim <hittlle () 163 com>
Date: Tue, 5 Jul 2016 11:02:53 +0800 (CST)
Hi all,
I've figured out why. Just because I didn't disable checksum validation. I added -k none, and it triggered an alert as 
expected. Thanks a lot. 






At 2016-07-05 02:56:40, "Al Lewis (allewi)" <allewi () cisco com> wrote:

Are you sure the destination address in your rule is correct? There isnt anything in the pcap from 192.168.48.140.


Shouldnt it be 192.168.2.111 instead of 192.168.48.140?


If I change the address in your rule it alerts. See below:





cliffjumper$ ./bin/snort -c etc/MAXIM.conf -r etc/MAXIM.pcapng -Acmg -H -U -k none -q

07/04-02:59:02.844050  [**] [1:9100000:1] test urlencoded content. [**] [Classification: Web Application Attack] 
[Priority: 1] {TCP} 192.168.2.139:56961 -> 192.168.2.111:80

Stream reassembled packet

07/04-02:59:02.844050 B0:C0:90:51:83:6C -> C8:1F:66:DB:CA:26 type:0x800 len:0x24C

192.168.2.139:56961 -> 192.168.2.111:80 TCP TTL:64 TOS:0x0 ID:23068 IpLen:20 DgmLen:574 DF

***A**** Seq: 0x4D757BEC  Ack: 0x438BE909  Win: 0x7680  TcpLen: 20

47 45 54 20 2F 69 64 3D 68 65 6C 6C 6F 77 6F 72  GET /id=hellowor

6C 64 25 32 30 25 36 31 25 36 45 25 36 34 25 32  ld%20%61%6E%64%2

30 25 33 31 25 33 44 25 33 32 25 32 30 25 37 35  0%31%3D%32%20%75

25 34 45 25 36 39 25 36 46 25 36 45 25 32 30 25  %4E%69%6F%6E%20%

35 33 25 36 35 25 36 43 25 34 35 25 36 33 25 37  53%65%6C%45%63%7

34 25 32 30 25 33 31 25 32 43 25 33 32 25 32 43  4%20%31%2C%32%2C

25 33 33 25 32 43 25 33 34 25 32 43 25 33 35 25  %33%2C%34%2C%35%

32 43 25 36 33 25 36 46 25 36 45 25 36 33 25 36  2C%63%6F%6E%63%6

31 25 37 34 25 32 38 25 33 30 25 37 38 25 33 34  1%74%28%30%78%34

25 33 30 25 33 37 25 33 34 25 33 36 25 33 38 25  %30%37%34%36%38%

33 36 25 33 35 25 33 37 25 33 33 25 33 37 25 33  36%35%37%33%37%3

34 25 33 36 25 33 31 25 33 37 25 33 32 25 33 37  4%36%31%37%32%37

25 33 34 25 32 43 25 34 33 25 36 46 25 37 35 25  %34%2C%43%6F%75%

36 45 25 37 34 25 32 38 25 32 41 25 32 39 25 32  6E%74%28%2A%29%2

43 25 33 30 25 37 38 25 33 34 25 33 30 25 33 37  C%30%78%34%30%37

25 33 34 25 33 36 25 33 38 25 33 36 25 33 35 25  %34%36%38%36%35%

33 36 25 33 35 25 33 36 25 34 35 25 33 36 25 33  36%35%36%45%36%3

34 25 32 39 25 32 43 25 33 37 25 32 43 25 33 38  4%29%2C%37%2C%38

25 32 43 25 33 39 25 32 43 25 33 31 25 33 30 25  %2C%39%2C%31%30%

32 30 25 36 36 25 37 32 25 36 46 25 36 44 25 32  20%66%72%6F%6D%2

30 25 36 39 25 36 45 25 36 36 25 36 46 25 37 32  0%69%6E%66%6F%72

25 36 44 25 36 31 25 37 34 25 36 39 25 36 46 25  %6D%61%74%69%6F%

36 45 25 35 46 25 37 33 25 36 33 25 36 38 25 36  6E%5F%73%63%68%6

35 25 36 44 25 36 31 25 32 45 25 37 34 25 36 31  5%6D%61%2E%74%61

25 36 32 25 36 43 25 36 35 25 37 33 25 32 33 20  %62%6C%65%73%23 

48 54 54 50 2F 31 2E 31 0D 0A 43 6F 6E 74 65 6E  HTTP/1.1..Conten

74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D  t-Type: text/htm

6C 0D 0A 48 6F 73 74 3A 20 31 39 32 2E 31 36 38  l..Host: 192.168

2E 32 2E 31 31 31 0D 0A 41 63 63 65 70 74 3A 20  .2.111..Accept: 

74 65 78 74 2F 68 74 6D 6C 2C 20 2A 2F 2A 0D 0A  text/html, */*..

55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi

6C 6C 61 2F 33 2E 30 20 28 63 6F 6D 70 61 74 69  lla/3.0 (compati

62 6C 65 3B 20 49 6E 64 79 20 4C 69 62 72 61 72  ble; Indy Librar

79 29 0D 0A 0D 0A                                y)....




=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+











Albert Lewis

QA SNORT/Sourcefire

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046

Email: allewi () cisco com 





From: Maxim <hittlle () 163 com>
Date: Sunday, July 3, 2016 at 11:38 PM
To: 'snort-users' <snort-users () lists sourceforge net>
Subject: [Snort-users] [snort preprocessor]http_inspect cannot identify urlencoded content



Hi all, 
I have a website attack tool that encodes HTTP request parameters with urlencode library, and I want snort to capture 
and normalize the urlencoded content. I enabled http_inspect preprocessor in snort.conf as follows:


         preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 
max_gzip_mem 104857600  
         preprocessor http_inspect_server: server default profile all ports { 80 8081 } http_methods { GET POST PUT 
DELETE HEAD }  


and prepared the corresponding rule as below:
        
         alert tcp any any -> 192.168.48.140 80 (content: "union"; http_uri; nocase; msg:"test urlencoded content."; 
classtype: web-application-attack;flowbits: isnotset, 9100000; flowbits: set,        
         9100000; flow: from_client; tag: session,exclusive; sid: 9100000; rev:1)   


They keyword "union" is urlencoded in the parameter part of the http request generated by the attack tool. Then I used 
the tool to trigger the attack as follows
GET 
/id=test%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23
 HTTP/1.1
Content-Type: text/html
Host: 192.168.2.111
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


The normalized form of 
"%20%61%6E%64%20%31%3D%32%20%75%4E%69%6F%6E%20%53%65%6C%45%63%74%20%31%2C%32%2C%33%2C%34%2C%35%2C%63%6F%6E%63%61%74%28%30%78%34%30%37%34%36%38%36%35%37%33%37%34%36%31%37%32%37%34%2C%43%6F%75%6E%74%28%2A%29%2C%30%78%34%30%37%34%36%38%36%35%36%35%36%45%36%34%29%2C%37%2C%38%2C%39%2C%31%30%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%23"
 in the above request is "/id=test and 1=2 uNion SelEct 
1,2,3,4,5,concat(0x407468657374617274,Count(*),0x40746865656E64),7,8,9,10 from information_schema.tables#". As you can 
see, the rule SHOULD match the request and trigger a alert, but it didn't. My snort version information and the pcap 
file are attacked below. 


            ,,_     -*> Snort! <*-
            o"  )~   Version 2.9.6.0 GRE (Build 47) 
           ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8


Am I missing anything? Any guidance would be highly appreciated.  Thanks.


Regards
Hittlle


         
         




 





 
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: