From: Will Metcalf (william.metcalfgmail.com)
Date: Tue Aug 10 2010 - 15:52:02 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> if you have a normalized buffer
> why as a rule writer you should be able to di something like what Eoin
> is trying to do.
wow... what a horrible sentence... I meant...

If you have a normalized buffer as a rule writer you should be able to
do something like what Eoin is trying to do.

On Tue, Aug 10, 2010 at 3:49 PM, Will Metcalf <william.metcalfgmail.com> wrote:
> ehhh be careful... this only works for http_uri and http_client_body
> all other http_* modifiers using distance/within fails silently....
> always... at least in my testing. Which makes me wonder why snort
> doesn't reject those rules during parsing as they will never match.
> Joel?  Also did you test these because as of 2.8.5.3 (yes I know, I
> know) this would only work if you did....
>
> content:"id="; http_client_body; content:"%26jp"; distance:32;
> classtype:bad-unknown; sid:5600099; rev:2;)
>
> leaving off the second http_client_body modifier. Otherwise it appears
> the behavior is to always in this case distance would start from the
> beginning of the normalized buffer i.e. behaves like offset.  The same
> trick works for http_uri but if the uri has to be decoded/normalized
> in anyway it will always fail.
>
> This is really annoying to me btw.  if you have a normalized buffer
> why as a rule writer you should be able to di something like what Eoin
> is trying to do.  For things where within/distance don't really make
> much of a difference I can understand read uricontent, but for things
> like http headers etc where you fingerprint things like a unique
> user-agent using within/distance and can avoid pcre why not allow this
> instead of assuming that the user "really meant" dept/offset.
>
> just my 0.02
>
> Regards,
>
> Will
>
> On Tue, Aug 10, 2010 at 2:57 PM, Eoin Miller
> <eoin.millertrojanedbinaries.com> wrote:
>>  These are better versions that should have a much lower FP rate, why I
>> didn't use the distance keyword last time? Because I am an idiot:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
>> Exploit Kit - request for PDF exploit"; flow:established,to_server;
>> content:"POST"; http_method; content:"id="; http_client_body;
>> content:"%26np"; distance:32; http_client_body; classtype:bad-unknown;
>> sid:5600099; rev:2;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
>> Exploit Kit - request for Java exploit"; flow:established,to_server;
>> content:"POST"; http_method; content:"id="; http_client_body;
>> content:"%26j"; distance:32; http_client_body; classtype:bad-unknown;
>> sid:5600100; rev:2;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
>> Exploit Kit - request for Java and PDF exploits";
>> flow:established,to_server; content:"POST"; http_method; content:"id=";
>> http_client_body; content:"%26jp"; distance:32; http_client_body;
>> classtype:bad-unknown; sid:5600101; rev:2;)
>>
>> -- Eoin
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigsemergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>
>

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]