[Emerging-Sigs] Odd behavior with content matching on Snort 2.8.4.1

Joel Esler eslerj at gmail.com
Thu Sep 17 08:26:40 EDT 2009


Awaiting feedback from dev.  They rolled out 2.8.5 yesterday, so I imagine
they were a bit busy.
In the meantime, upgrade to 2.8.5

J

On Wed, Sep 16, 2009 at 2:23 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

> Joel just curious to see if you've gotten any feedback.  Requiring
> rawbytes is a little odd and the failed content matching is concerning.
>  Could this be a bug in 2.8.4.1?
>
> -evilghost
>
> Joel Esler wrote:
> > Hm..
> >
> > Seems it was changed when the last http_preprocesor was changed to
> > allow rawbytes to work with HTTP.  (When I am reading the code).
> >
> > Let me talk to a dev and get you an answer.
> >
> > J
> >
> > On Sep 15, 2009, at 9:15 AM, evilghost at packetmail.net wrote:
> >
> >> Looking at 2.8.4 manual, page 113, I see "The rawbytes keyword allows
> >> rules to look at the raw packet data, ignoring any decoding that was
> >> done by preprocessors.  This acts as a modifier to the previous content
> >> 3.5.1 option".
> >>
> >> Don't see anywhere it mention telnet-only though the example does show
> >> ignoring decoding done by the Telnet decoder.  Back to the original
> >> issue, how could the http preprocessor mangle HTTP POST in such a
> >> fashion that a content match wouldn't succeed without rawbytes?
> >>
> >> Joel Esler wrote:
> >>> Rawbytes is a telnet only modifier.  It does nothing with HTTP.
> >>>
> >>> J
> >>>
> >>> On Sep 15, 2009, at 8:58 AM, evilghost at packetmail.net wrote:
> >>>
> >>>> I am crafting some very basic signatures and am running into issues
> >>>> with
> >>>> the content matching on Snort 2.8.4.1 failing to match packet content
> >>>> unless the rawbytes option is issued.  Does anyone have any insight
> >>>> into
> >>>> this?  Even the most basic of a rule (single content only) will not
> >>>> match.  I am attempting to match against HTTP POST data.  Oddly, a
> >>>> PCRE
> >>>> match of '/testdata/i' matches fine.
> >>>>
> >>>> Here are the very simplistic rules (these are used to demonstrate the
> >>>> issue).  In this case I am intentionally ignoring rule refinement
> >>>> (checking for HTTP POST, etc) to demonstrate the issue.  700003 will
> >>>> never fire.  700004 fires correctly.
> >>>>
> >>>> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"TEST - Content Match
> >>>> without rawbytes"; content:"testdata"; nocase;
> >>>> classtype:trojan-activity; sid:700003;)
> >>>> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"TEST - Content Match
> >>>> with rawbytes"; content:"testdata"; nocase; rawbytes;
> >>>> classtype:trojan-activity; sid:700004;)
> >>>>
> >>>> Here is a refined rule which fires correctly, again, note the
> >>>> rawbytes:
> >>>> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"TEST - Content match
> >>>> HTTP POST with rawbytes"; content:"POST"; http_method;
> >>>> content:"testdata"; nocase; rawbytes; classtype:trojan-activity;
> >>>> sid:700005;)
> >>>>
> >>>> Here is the POST data from an ASCII dump of a PCAP:
> >>>>
> >>>> 17:58:55.427316 IP aa.bb.cc.dd.22844 > ww.xx.yy.zz.80: P 0:617(617)
> >>>> ack
> >>>> 1 win 12288
> >>>> E...3......P...
> >>>> ..C&Y<.P....!.D.P.0.]]..POST /posttest HTTP/1.1
> >>>> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.13)
> >>>> Gecko/2009082121 Iceweasel/3.0.6 (Debian-3.0.6-1)
> >>>> Accept:
> >>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >>>> Accept-Language: en-us,en;q=0.5
> >>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> >>>> Keep-Alive: 300
> >>>> Connection: keep-alive
> >>>> Cookie:
> >>>>
> rfaft2c1_.obfuscated.com_%2F_wlf=TlN123lZS5zZmhqcG90LmRwbi13anFf?Y3sVMbvdZracNk3bC123J1M0Hd0A&;
> >>>>
> >>>>
> >>>> ARPT=ZQYIX123GX001123MI
> >>>> Content-length: 71
> >>>> Host: test.obfuscated.com
> >>>>
> >>>>
> testdata=hello&cmd=submit&userid=123456789_blahblah&passcode=0101010101
> >>>>
> >>>>
> >>>>
> >>>> Thanks,
> >>>> evilghost
> >>>> _______________________________________________
> >>>> Emerging-sigs mailing list
> >>>> Emerging-sigs at emergingthreats.net
> >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >>
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

-- Joel Esler | http://blog.joelesler.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090917/4b143a1d/attachment.html


More information about the Emerging-sigs mailing list