[Emerging-Sigs] [Snort-devel] Bug with file_data pointer being set in 2.9.0?

Bhagya Bantwal bbantwal at sourcefire.com
Wed Oct 27 14:49:01 EDT 2010


Will,

In 2.9.0 we changed HTTP inspect to inspect HTTP response body in stream
rebuilt packets only. In the pcap you provided the HTTP response with
response code 301 and 200 get combined into one segment due to stream
reassembly and hence we do not set the file data pointer correctly.

A bug has been filed for this issue. Thanks for reporting the issue.

-B

On Fri, Oct 22, 2010 at 10:20 AM, Will Metcalf <william.metcalf at gmail.com>wrote:

> I'm seeing the same thing compiling with gzip support and enabling
> gzip inspection.
>
> Regards,
>
> Will
>
>
> On Thu, Oct 21, 2010 at 9:59 PM, Will Metcalf <william.metcalf at gmail.com>
> wrote:
> > Where is file_data supposed to be set?  Directly after the headers and
> > starting with the response_body correct?  In 2.8.6 the following rule
> > works as I believe it should. I can do matches relative to the start
> > of the response body.. Seems like a lot of ifdef'd code around zlib..
> > so perhaps this is all because I didn't enable zlib support or
> > something?  Anyhow...
> >
> > alert tcp any any -> any any (msg:"file_data within/distance test";
> > flow:to_client,established; file_data; content:"<!DOCTYPE html";
> > within:20; sid:120001;)
> >
> > downloads/snort-2.8.6.1$ grep -n "printf" * -r | grep body
> > src/preprocessors/HttpInspect/server/hi_server.c:1024:
> > printf("server response body %s\n",Server->response.body);
> >
> >   ,,_     -*> Snort! <*-
> >  o"  )~   Version 2.8.6.1 (Build 39)
> >   ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> >           Using PCRE version: 7.8 2008-09-05
> >
> >           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build
> 18>
> >           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
> >           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
> >           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
> >           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
> >           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
> >           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
> >           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
> >           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
> > Not Using PCAP_FRAMES
> > server response body <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
> > Transitional//EN"
> > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb"
> > lang="en-gb" dir="ltr" >
> > <head>
> >  <base href="
> http://www.openinfosecfoundation.org/index.php/component/search/1234567891011
> "
> > />
> >  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
> >  <meta name="robots" content="index, follow" />
> >  <meta name="keywords" content="" />
> >  <meta name="description" content="Open Information Security Foundation"
> />
> >  <meta name="generator" content="Joomla! 1.5 - Open Source Content
> > Management" />
> >  <title>The Open Information Security Foundation - Search</title>
> >  <link href="/templates/maximumedia-oisf_2.5/favicon.ico"
> > rel="shortcut icon" type="image/x-icon" />
> >  <link rel="stylesheet"
> > href="/templates/maximumedia-oisf_2.5/css/template.css"
> > type="text/css" />
> >  <link rel="stylesheet"
> > href="/templates/maximumedia-oisf_2.5/css/variations/comboblue.css"
> > type
> >
> > 03/07-22:19:54.786893  [**] [1:120001:0] file_data within/distance
> > test [**] [Priority: 0] {TCP} 96.43.130.5:80 -> 192.168.100.17:38111
> >
> > However in 2.9.0 with the same config only changing..
> > dynamicpreprocessor directory and dynamicengine I get the following
> > and no alert.  However I do get alert for this rule which matches on
> > HTTP in the first 4 bytes of the response+headers.
> >
> > alert tcp any any -> any any (msg:"file_data within/distance test";
> > flow:to_client,established; file_data; content:"HTTP"; within:4;
> > sid:120002;)
> >
> > snort-2.9.0$ grep -n "printf" * -r | grep body
> > src/preprocessors/HttpInspect/server/hi_server.c:1202:
> > printf("server response body %s\n",Server->response.body);
> >
> >
> >        --== Initialization Complete ==--
> >
> >   ,,_     -*> Snort! <*-
> >  o"  )~   Version 2.9.0 (Build 68)
> >   ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> >           Using libpcap version 1.0.0
> >           Using PCRE version: 7.8 2008-09-05
> >
> >           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build
> 18>
> >           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
> >           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
> >           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
> >           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
> >           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
> >           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
> >           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
> > Commencing packet processing (pid=15082)
> > server response body HTTP/1.1 200 OK
> > Date: Mon, 08 Mar 2010 03:17:15 GMT
> > Server:
> > X-Powered-By: PHP/5.2.12
> > P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
> > Expires: Mon, 1 Jan 2001 00:00:00 GMT
> > Last-Modified: Mon, 08 Mar 2010 03:17:15 GMT
> > Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> > Pragma: no-cache
> > Content-Length: 13466
> > Keep-Alive: timeout=5, max=99
> > Connection: Keep-Alive
> > Content-Type: text/html; charset=utf-8
> >
> > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb"
> > lang="en-gb" dir="ltr" >
> > <head>
> >  <base href="
> http://www.openinfosecfoundation.org/index.php/component/search/1234567891011
> "
> > />
> >  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
> >  <meta name="robots" content="index, follow" />
> >  <meta name="keywords" content="" />
> >  <meta name="description" content="Open Information Security Foundation"
> />
> >  <meta name="generator" content="Joomla! 1.5 - Open Source Content
> > Management" />
> >  <title>The Open Information Security Foundation - Search</title>
> >  <link href="/templates/maximumedia-oisf_2.5/favicon.ico"
> > rel="shortcut icon" type="image/x-icon" />
> >  <link rel="stylesheet"
> > href="/templates/maximumedia-oisf_2.5/css/template.css"
> > type="text/css" />
> >  <link rel="stylesheet"
> > href="/templates/maximumedia-oisf_2.5/css/variations/comboblue.css"
> > type
> > 03/07-22:19:54.361333  [**] [1:120002:0] file_data within/distance
> > test [**] [Priority: 0] {TCP} 96.43.130.5:80 -> 192.168.100.17:38111
> >
>
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America
> contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101027/1b13bb56/attachment-0001.html


More information about the Emerging-sigs mailing list