|
Home > Archive > Snort > September 2004 > [Snort-users] pattern recognition problems
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] pattern recognition problems
|
|
| Travis Kincher 2004-09-15, 5:45 pm |
| I'm running Snort-2.2.0, FreeBSD 5.2.1, and my problem, it appears, is
that patterns are not matching correctly.
Here's an example with rule SID 2278 (WEB-MISC client negative
Content-Length attempt)
--------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
client negative Content-Length attempt"; flow:to_server,established;
content:"Content-Length|3A|"; nocase;
pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098;
reference:bugtraq,9476; reference:bugtraq,9576;
reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:8;)
--------
So, of course, it is looking for an HTTP string containing a negative
content-length, i.e. "Content-Length: -1024".
Here is an example of the data that apparently triggered this alert:
--------
HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date:
Tue, 17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag:
"506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14
GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843....
--------
My first thoughts were perhaps that PCRE was failing, but I could not
find any indication that this was so. Am I missing something here
and/or is there a way to confirm or deny that PCRE patterns are
working? Searched the docs and the archives, but I failed to find
anything relevant. Any ideas appreciated.
Regards,
Travis Kincher
InfoGroup Northwest
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Brian 2004-09-22, 10:25 pm |
| On Wed, Sep 15, 2004 at 10:48:47AM -0700, Travis Kincher wrote:
> So, of course, it is looking for an HTTP string containing a negative
> content-length, i.e. "Content-Length: -1024".
>
> Here is an example of the data that apparently triggered this alert:
> --------
> HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date:
> Tue, 17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag:
> "506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14
> GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843....
> --------
I highly doubt that the PCRE match is failing. If you compile snort
in debug mode and then use DEBUG_PATTERN_MATCH (16384), you will get
the pcre debugging messages and see for yourself how pcre is working
inside of snort.
-b
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|