[Emerging-Sigs] New http inspect split - snort 2.8.3

[Matt Jonkman]

Interesting new feature, but we'll try to stay with conventional methods 
for now. if we go straight to that we'd have to split the ruleset by 
versions.

If we have situations where we absolutely HAVE to use the new feature 
then we'd have to do so, but I don't think we'll hit that for a while.

Matt

Rodrigo Montoro(Sp0oKeR) wrote:
> Hi all,
>    I think as most people here know, snort 2.8.3 will have new features 
> for new rules :
> 
> New Feature for HTTP Inspect to split requests into 5 components -
>       Method, URI, Header (non-cookie), Cookies, Body.  Added HTTP server
> 
>       specific configurations to normalize HTTP header and/or cookie buffers.
>       Provided content and PCRE modifiers to allow searches within one or
>       more of those individual buffers
> 
>   Rules will be write in another way as:
> 
> 
> 3.5.9 http cookie
> The http cookie keyword is a content modifier that restricts the search 
> to the extracted Cookie Header field of an HTTP client request. The rule 
> listed in Figure 3.19 constrains the search for the pattern "EFG" to the 
> extracted Cookie Header field of an HTTP client request. As this keyword 
> is a modifier to the previous 'content' keyword, there must be a content 
> in the rule before 'http cookie' is specified.The extracted Cookie Header 
> field may be NORMALIZED, per the configuration of HttpInspect (see 2.1.8).
> 
> Format
> http_cookie;
> 
> Examples
> alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_cookie;)
> .
> 3.5.10 http header
> The http header keyword is a content modifier that restricts the search 
> to the extracted Header fields of an HTTP client request.The rule listed 
> in Figure 3.20 constrains the search for the pattern "EFG" to the 
> extracted Header fields of an HTTP client request. As this keyword is a 
> modifier to the previous 'content' keyword, there must be a content in 
> the rule before 'http header' is specified. The extracted Header fields 
> may be NORMALIZED, per the configuration of HttpInspect (see 2.1.8).
> 
> Format
> http_header;
> 
> Examples
> alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_header;)
> 
> 3.5.11 http method
> The http method keyword is a content modifier that restricts the search 
> to the extracted Method from an HTTP client request. The rule listed in 
> Figure 3.21 constrains the search for the pattern "GET" to the extracted 
> Method from an HTTP client request. As this keyword is a modifier to the 
> previous 'content' keyword, there must be a content in the rule before 
> 'http method' is specified.
> 
> Format
> http_method;
> 
> Examples
> alert tcp any any -> any 80 (content:"ABC"; content: "GET"; http_method;)
> 
> More info at snort-2.8.3-9Beta manual .
> 
> Will ET try to update rules? Or just for new rules?
> 
> Regards,
> 
> -- 
> ===========================
> Rodrigo Montoro (Sp0oKeR)
> Security Analyst
> SnortCP / RHCE / LPIC-I / MCSO
> http://www.spooker.com.br
> http://www.snort.org.br
> http://www.linkedin.com/in/spooker
> ===========================
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc