Snort mailing list archives
RE: http_decode vs. alerts
From: Steve Halligan <agent33 () geeksquad com>
Date: Mon, 1 Oct 2001 15:36:08 -0500
One more thing. One could use unicode to obfuscate alot more than just directory traversal attacks. We should catch these obfuscations with the signature engine rather than having to re-write the unicode plugin each time a new variant turns up.
I don't really care how I get there, but I'd like to get to the point where all my alerts go to the same place. Can I apply my custom actions to the preprocessor? Should I just remove the http_decode lines and just accept the fact that I'll miss Unicode-obfuscated attacks? Is there another option that I've missed?This brings up another question I have. Does the data that the various decode and defrag preprocessors decode or defrag get put through the signature matching engine after decoding or defragging. If so, way does the http and unicode spp's have there own alerts that relate to stuff that could be caught by a signature after decoding. For example: I send a http get like this: GET /../../../winnt/cmd.exe It would trip one of a number of signatures. Directory Traversal, cmd.exe access whatever. I send a http get like this: Get /..%5c..%5cwinnt/cmd.exe It would decode it to: GET /../../winnt/cmd.exe Which would trip the same signatures as above. But that is not what happens. It trips an alert in spp_unicode and that is it. This spp_unicode alert cannot be altered, sent to a different alert mech, or turned off without disabling the entire spp_unicode spp. Why doesn't it just decode it, and put it through the signature engine? I believe this is the way spp_defrag works. It only sends up a special alert of its own when something specifically relating to fragments happens. The reassembled packet is pushed through the signature engine like any other packet for content checking. -Steve
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http_decode vs. alerts Williams Jon (Oct 01)
- <Possible follow-ups>
- RE: http_decode vs. alerts Steve Halligan (Oct 01)
- RE: http_decode vs. alerts Steve Halligan (Oct 01)