Snort mailing list archives
RE: consensus on BASE
From: James Affeld <jamesaffeld () yahoo com>
Date: Thu, 1 Jun 2006 19:38:20 -0700 (PDT)
I love sguil. It makes it easy to get the information you most often want, and possible to get the rest - and it scales to millions of events. --- snort-users-request () lists sourceforge net wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: consensus on BASE (John Hally) 2. Snort In-Line on a Linux host running as a Bridge (Sam Evans) 3. RE: [Snort-devel] Possible Evasion in http_inspect (Joel Ebrahimi) --__--__-- Message: 1 From: John Hally <JHally () epnet com> To: snort-users () lists sourceforge net Subject: RE: [Snort-users] consensus on BASE Date: Thu, 1 Jun 2006 08:22:16 -0400 I run both BASE and commercial Aanval. Aanval is a very good console for the price($99/sensor) and has much more reporting features and such. I agree w/the observations of sguil that it can be a pain to install. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of John Newman Sent: Friday, May 26, 2006 12:44 PM To: snort-users () lists sourceforge net Subject: [Snort-users] consensus on BASE Is the consensus that BASE is the best web front-end for snort out there (and I mean free, open source stuff)? What are people's experiences with sguil (which I realize is not web based). thanks, -- John Newman Systems Administrator, WebXess Inc.
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 2 Date: Thu, 1 Jun 2006 08:52:55 -0600 From: "Sam Evans" <wintrmte () gmail com> To: "snort-users @lists.sourceforge.net" <snort-users () lists sourceforge net> Subject: [Snort-users] Snort In-Line on a Linux host running as a Bridge All, I was wondering if anyone has any documentation on using Snort In-Line on a Linux host acting as a bridge? I have never done this before (always use ip forwarding) but the project I am on is requiring that I bridge. If anyone can point me in the right direction, I would appreciate it. Thx, Sam --__--__-- Message: 3 Date: Thu, 1 Jun 2006 09:19:58 -0700 From: "Joel Ebrahimi" <jebrahimi () demarc com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] RE: [Snort-devel] Possible Evasion in http_inspect This is a multi-part message in MIME format. ------_=_NextPart_001_01C68597.3A19080F Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable It doesnt appear that the email I sent out prior to this to both the = devel list and users list ever made it through entirely( I see it on the = marc mirror but I never got it sent to me and it never seems to have = made it to users). Since the bypass is trivial to implement I would hope that this patch = could get reviewed by the devel/user community asap. Reposting yesterdays message below.
----------------------------------------------------------
A large scale Snort evasion has been discovered by Blake Hartstein, a = member of the Demarc Threat Research Team. =20 The evasion technique allows an attack to bypass detection of = "uricontent" rules by adding a carriage return to the end of a URL, = directly before the HTTP protocol declaration. =20 This affects thousands of rules in the standard Snort base rule sets. =20 Due to the seriousness of this vulnerability, we have developed a = working patch for public review. See below. =20 This patch addresses the carriage return bug and should catch the known = evasion attempts but further research needs to be done to determine if = there are any other possible impacts of this bug. The detection for = evasion is turned on by default under all profiles but can also be used = as a server configuration option: =20 -----HTTP Inspect Server Configuration----- =20 non_std_cr <yes|no> =20 This option generates an alert when a non standard carriage return = character is detected in the URI. =20 =20 -----end----- =20 More information including a pre-patched tarball, a simple proof of = concept, and a copy of this patch can be found at=20
http://www.demarc.com/support/downloads/patch_20060531
=20 With the release of this information we have also released a fix to all = our Sentarus customers. If your auto-updates are turned on, then a patch = and all related updates have already been applied, or you can go into = your Sentarus management console and request an immediate update. =20 =20 // Joel=20 =20 Joel Ebrahimi Demarc Security, Inc. jebrahimi () demarc com http://www.demarc.com/ =20 =20 -----Patch for Snort-2.4.4-- =20 diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
---
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
= 2005-03-16 13:52:18.000000000 -0800 +++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
= 2006-05-30 22:54:44.000000000 -0700 @@ -40,6 +40,7 @@ =20 #define URI_END 1 #define NO_URI -1 +#define CR_IN_URI 18=20 #define INVALID_HEX_VAL -1 =20 /** @@ -455,6 +456,11 @@ return URI_END; } =20 + if(isspace(**ptr) ) + { + return CR_IN_URI; + } + return NO_URI; } =20 @@ -1345,8 +1351,21 @@ */ break; } + else if(iRet =3D=3D CR_IN_URI) + { + =
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
+ { + =
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
+ NULL, NULL); + } + break; + } + + + else /* NO_URI */ { + /* ** Check for chunk encoding, because the delimiter = can ** also be a space, which would look like a = pipeline request diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
---
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
= 2004-03-11 14:25:53.000000000 -0800 +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
2006-05-30 10:27:49.000000000 -0700 @@ -64,7 +64,9 @@ {HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_PROXY_USE_STR }, {HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY, - HI_EO_CLIENT_WEBROOT_DIR_STR } + HI_EO_CLIENT_WEBROOT_DIR_STR }, + { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY, + HI_EO_CLIENT_CR_IN_URI_STR }, }; =20 static HI_EVENT_INFO = anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] =3D { diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
= 2004-03-11 14:25:53.000000000 -0800 +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
= 2006-05-25 13:01:08.000000000 -0700 @@ -24,13 +24,14 @@ #define HI_EO_CLIENT_LARGE_CHUNK 15 /* done */ #define HI_EO_CLIENT_PROXY_USE 16 /* done */ #define HI_EO_CLIENT_WEBROOT_DIR 17 /* done */ +#define HI_EO_CLIENT_CR_IN_URI 18 /* done */ =20 /* ** IMPORTANT: ** Every time you add a client event, this number must be ** incremented. */ -#define HI_EO_CLIENT_EVENT_NUM 18 +#define HI_EO_CLIENT_EVENT_NUM 19 =20 /* ** These defines are the alert names for each event @@ -71,6 +72,8 @@ "(http_inspect) UNAUTHORIZED PROXY USE DETECTED" #define HI_EO_CLIENT_WEBROOT_DIR_STR \ "(http_inspect) WEBROOT DIRECTORY TRAVERSAL" +#define HI_EO_CLIENT_CR_IN_URI_STR \ + "(http_inspect) NON-STD CARRIAGE RETURN IN URI" =20 /* ** Anomalous Server Events diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
= 2005-03-16 13:52:18.000000000 -0800 +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
= 2006-05-30 09:44:18.000000000 -0700 @@ -113,6 +113,7 @@ HTTPINSPECT_CONF_OPT webroot; HTTPINSPECT_CONF_OPT apache_whitespace; HTTPINSPECT_CONF_OPT iis_delimiter; + HTTPINSPECT_CONF_OPT non_std_cr; =20 } HTTPINSPECT_CONF; =20 diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c --- =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
= 2005-03-16 13:52:19.000000000 -0800 +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c 2006-05-30 23:00:25.000000000 -0700 @@ -117,6 +117,9 @@ =20 GlobalConf->global_server.non_strict =3D 1; =20 + GlobalConf->global_server.non_std_cr.on =3D 1; + GlobalConf->global_server.non_std_cr.alert =3D 1; + return HI_SUCCESS; } =20 @@ -209,6 +212,9 @@ =20 ServerConf->tab_uri_delimiter =3D 1; =20 + ServerConf->non_std_cr.on =3D 1; + ServerConf->non_std_cr.alert =3D 1; + return HI_SUCCESS; } =20 @@ -279,6 +285,9 @@ =20 ServerConf->non_strict =3D 1; =20 + ServerConf->non_std_cr.on =3D 1; + ServerConf->non_std_cr.alert =3D 1; + return HI_SUCCESS; } =20 @@ -349,6 +358,9 @@ =20 ServerConf->tab_uri_delimiter =3D 1; =20 + ServerConf->non_std_cr.on =3D 1; + ServerConf->non_std_cr.alert =3D 1; + return HI_SUCCESS; } =20 diff -Nuar snort-2.4.4/src/preprocessors/snort_httpinspect.c =
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
--- snort-2.4.4/src/preprocessors/snort_httpinspect.c 2005-08-23 = 08:52:19.000000000 -0700 +++
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
2006-05-30 = 10:33:54.000000000 -0700 @@ -134,6 +134,7 @@ #define GLOBAL_ALERT "no_alerts" #define WEBROOT "webroot" #define TAB_URI_DELIMITER "tab_uri_delimiter" +#define NON_STD_CR "non_std_cr" =20 /* ** Alert subkeywords @@ -1449,6 +1450,15 @@ return iRet; } } + else if(!strcmp(NON_STD_CR, pcToken)) + { + ConfOpt =3D &ServerConf->non_std_cr; + if((iRet =3D ProcessConfOpt(ConfOpt, NON_STD_CR, + ErrorString, ErrStrLen))) + { + return iRet; + } + } else if(!strcmp(IIS_BACKSLASH, pcToken)) { ConfOpt =3D &ServerConf->iis_backslash; @@ -1583,6 +1593,7 @@ PrintConfOpt(&ServerConf->webroot, "Web Root Traversal"); PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace"); PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter"); + PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return"); =20 if(ServerConf->iis_unicode_map_filename) { =20 -----end----- =20-----Original Message----- From: snort-devel-admin () lists sourceforge net=20 [mailto:snort-devel-admin () lists sourceforge net]On Behalf Of=20Jennifer Steffens Sent: Wednesday, May 31, 2006 3:28 PM To: snort-devel () lists sourceforge net Subject: [Snort-devel] Possible Evasion inhttp_inspect=20 Sourcefire is aware of a possible Snort evasionthat exists=20in the http_inspect preprocessor. This evasioncase only=20applies to protected Apache web servers. We haveprepared=20fixes for both the 2.4 and 2.6 branches and willhave fully=20tested releases, including binaries, available forboth on=20Monday, June 5th. =20 =20 Evasion Details: =20 The Apache web server supports special charactersin HTTP=20requests that do not affect the processing of theparticular=20request. The current target-based profiles forApache in the=20http_inspect preprocessor do not properly handlethese=20requests, resulting in the possibility that anattacker can=20bypass detection of rules that use the"uricontent" keyword=20by embedding special characters in a HTTP request. =20 =20 Background Information: =20 It is important to note that this is an evasionand not a=20vulnerability. This means that while it is possible for anattacker to=20bypass detection, Snort sensors and the networksthey protect=20are not at a heightened risk of other attacks. =20 =20 Timeline: =20 Sourcefire has prepared fixes and is currentlyfinalizing a=20complete round of testing to ensure that the fixesnot only=20solve the issue at hand but do not create new bugsas well.=20The following releases, including binaries forLinux and=20Windows deployments, will be available on Monday,June 5th:=20 * Snort v2.4.5 * Snort v2.6.0 final =20 =20 Questions: =20 Any questions regarding these releases can be sentto=20snort-team () sourcefire com. =20 Thanks, Jennifer =20 =20 -- Jennifer S. Steffens Director, Product Management - Snort Sourcefire - Security for the Real World W: 410.423.1930 | C: 202.409.7707 www.sourcefire.com | www.snort.org =20 =20 =20 =20=20 ------_=_NextPart_001_01C68597.3A19080F Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.5.7638.1"> <TITLE>RE: [Snort-devel] Possible Evasion in http_inspect</TITLE> </HEAD> <BODY> <!-- Converted from text/plain format --> <BR> <P><FONT SIZE=3D2>It doesnt appear that the email I sent out prior to = this to both the devel list and users list ever made it through = entirely( I see it on the marc mirror but I never got it sent to me and = it never seems to have made it to users).<BR> Since the bypass is trivial to implement I would hope that this patch = could get reviewed by the devel/user community asap.<BR> Reposting yesterdays message below.<BR>
----------------------------------------------------------<BR>
<BR> A large scale Snort evasion has been discovered by Blake Hartstein, a = member of the Demarc Threat Research Team.<BR> <BR> The evasion technique allows an attack to bypass detection of = "uricontent" rules by adding a carriage return to the end of a = URL, directly before the HTTP protocol declaration.<BR> <BR> This affects thousands of rules in the standard Snort base rule = sets.<BR> <BR> Due to the seriousness of this vulnerability, we have developed a = working patch for public review. See below.<BR> <BR> This patch addresses the carriage return bug and should catch the known = evasion attempts but further research needs to be done to determine if = there are any other possible impacts of this bug. The detection for = evasion is turned on by default under all profiles but can also be used = as a server configuration option:<BR> <BR> -----HTTP Inspect Server Configuration-----<BR> <BR> non_std_cr <yes|no><BR> <BR> This option generates an alert when a non standard carriage return = character is detected in the URI. <BR> <BR> -----end-----<BR> <BR> <BR> More information including a pre-patched tarball, a simple proof of = concept, and a copy of this patch can be found at<BR> <A =
HREF=3D"http://www.demarc.com/support/downloads/patch_20060531">http://ww=
w.demarc.com/support/downloads/patch_20060531</A><BR>
<BR> With the release of this information we have also released a fix to all = our Sentarus customers. If your auto-updates are turned on, then a patch = and all related updates have already been applied, or you can go into = your Sentarus management console and request an immediate update.<BR> <BR> <BR> // Joel<BR> <BR> Joel Ebrahimi<BR> Demarc Security, Inc.<BR> jebrahimi () demarc com<BR> <A
HREF=3D"http://www.demarc.com/">http://www.demarc.com/</A><BR>
<BR> <BR> <BR> -----Patch for Snort-2.4.4--<BR> <BR> diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c<BR>
---
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
= 2005-03-16 13:52:18.000000000 -0800<BR> +++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
= 2006-05-30 22:54:44.000000000 -0700<BR> @@ -40,6 +40,7 @@<BR> <BR> #define URI_END 1<BR> #define NO_URI -1<BR> +#define CR_IN_URI 18<BR> #define INVALID_HEX_VAL -1<BR> <BR> /**<BR> @@ -455,6 +456,11 @@<BR> return URI_END;<BR> }<BR> <BR> + if(isspace(**ptr) )<BR> + {<BR> + return CR_IN_URI;<BR> + }<BR> +<BR> return NO_URI;<BR> }<BR> <BR> @@ -1345,8 +1351,21 @@<BR>
&=
nbsp; */<BR>
&=
nbsp; break;<BR>
&=
nbsp; }<BR> + else if(iRet =3D=3D CR_IN_URI)<BR> + {<BR>
+
=
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))<BR>
+
{<BR>
+ =
=
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,<BR>
+ =
&=
nbsp;
NULL, = NULL);<BR> + }<BR> + break;<BR> + }<BR> +<BR> +<BR> +<BR>
&=
nbsp; else /* NO_URI */<BR>
&=
nbsp; {<BR> +<BR>
&=
nbsp; /*<BR>
&=
nbsp; ** Check for chunk = encoding, because the delimiter can<BR>
&=
nbsp; ** also be a = space, which would look like a pipeline request<BR> diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
<BR> ---
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
= 2004-03-11 14:25:53.000000000 -0800<BR> +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
2006-05-30 10:27:49.000000000 -0700<BR> @@ -64,7 +64,9 @@<BR> {HI_EO_CLIENT_PROXY_USE, = HI_EO_LOW_PRIORITY,<BR> = HI_EO_CLIENT_PROXY_USE_STR },<BR> {HI_EO_CLIENT_WEBROOT_DIR, = HI_EO_HIGH_PRIORITY,<BR> - HI_EO_CLIENT_WEBROOT_DIR_STR = }<BR> + HI_EO_CLIENT_WEBROOT_DIR_STR = },<BR> + { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,<BR> + HI_EO_CLIENT_CR_IN_URI_STR = },<BR> };<BR> <BR> static HI_EVENT_INFO = anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] =3D {<BR> diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h<B=
R> ---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
= 2004-03-11 14:25:53.000000000 -0800<BR> +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
= 2006-05-25 13:01:08.000000000 -0700<BR> @@ -24,13 +24,14 @@<BR> #define HI_EO_CLIENT_LARGE_CHUNK 15 /* = done */<BR> #define HI_EO_CLIENT_PROXY_USE = 16 /* done */<BR> #define HI_EO_CLIENT_WEBROOT_DIR 17 /* = done */<BR> +#define HI_EO_CLIENT_CR_IN_URI 18 = /* done */<BR> <BR> /*<BR> ** IMPORTANT:<BR> ** Every time you add a client event, this number must = be<BR> ** incremented.<BR> */<BR> -#define HI_EO_CLIENT_EVENT_NUM 18<BR> +#define HI_EO_CLIENT_EVENT_NUM 19<BR> <BR> /*<BR> ** These defines are the alert names for each event<BR> @@ -71,6 +72,8 @@<BR> "(http_inspect) UNAUTHORIZED PROXY USE = DETECTED"<BR> #define =
HI_EO_CLIENT_WEBROOT_DIR_STR &nb=
sp;
= \<BR> "(http_inspect) WEBROOT DIRECTORY = TRAVERSAL"<BR> +#define =
HI_EO_CLIENT_CR_IN_URI_STR  =
; =
\<BR> + "(http_inspect) NON-STD CARRIAGE RETURN IN = URI"<BR> <BR> /*<BR> ** Anomalous Server Events<BR> diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h<B=
R> ---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
= 2005-03-16 13:52:18.000000000 -0800<BR> +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
= 2006-05-30 09:44:18.000000000 -0700<BR> @@ -113,6 +113,7 @@<BR> HTTPINSPECT_CONF_OPT webroot;<BR> HTTPINSPECT_CONF_OPT apache_whitespace;<BR> HTTPINSPECT_CONF_OPT iis_delimiter;<BR> + HTTPINSPECT_CONF_OPT non_std_cr;<BR> <BR> } HTTPINSPECT_CONF;<BR> <BR> diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c<BR> --- =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
= 2005-03-16 13:52:19.000000000 -0800<BR> +++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c 2006-05-30 23:00:25.000000000 -0700<BR> @@ -117,6 +117,9 @@<BR> <BR> GlobalConf->global_server.non_strict =3D = 1;<BR> <BR> + GlobalConf->global_server.non_std_cr.on =3D = 1;<BR> + GlobalConf->global_server.non_std_cr.alert =3D = 1;<BR> +<BR> return HI_SUCCESS;<BR> }<BR> <BR> @@ -209,6 +212,9 @@<BR> <BR> ServerConf->tab_uri_delimiter =3D 1;<BR> <BR> + ServerConf->non_std_cr.on =3D 1;<BR> + ServerConf->non_std_cr.alert =3D 1;<BR> +<BR> return HI_SUCCESS;<BR> }<BR> <BR> @@ -279,6 +285,9 @@<BR> <BR> ServerConf->non_strict =3D 1;<BR> <BR> + ServerConf->non_std_cr.on =3D 1;<BR> + ServerConf->non_std_cr.alert =3D 1;<BR> +<BR> return HI_SUCCESS;<BR> }<BR> <BR> @@ -349,6 +358,9 @@<BR> <BR> ServerConf->tab_uri_delimiter =3D 1;<BR> <BR> + ServerConf->non_std_cr.on =3D 1;<BR> + ServerConf->non_std_cr.alert =3D 1;<BR> +<BR> return HI_SUCCESS;<BR> }<BR> <BR> diff -Nuar snort-2.4.4/src/preprocessors/snort_httpinspect.c =
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c<BR>
--- snort-2.4.4/src/preprocessors/snort_httpinspect.c 2005-08-23 = 08:52:19.000000000 -0700<BR> +++
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
2006-05-30 = 10:33:54.000000000 -0700<BR> @@ -134,6 +134,7 @@<BR> #define GLOBAL_ALERT = "no_alerts"<BR> #define =
WEBROOT
= "webroot"<BR> #define TAB_URI_DELIMITER "tab_uri_delimiter"<BR> +#define NON_STD_CR "non_std_cr"<BR> <BR> /*<BR> ** Alert subkeywords<BR> @@ -1449,6 +1450,15 @@<BR>
&=
nbsp; return iRet;<BR>
= }<BR> }<BR> + else if(!strcmp(NON_STD_CR, = pcToken))<BR> + {<BR>
+
= ConfOpt =3D &ServerConf->non_std_cr;<BR>
+
= if((iRet =3D ProcessConfOpt(ConfOpt, NON_STD_CR,<BR>
+ =
&=
nbsp; &n=
bsp; ErrorString, ErrStrLen)))<BR>
+
= {<BR>
+ =
return iRet;<BR>
+
= }<BR> + }<BR> else = if(!strcmp(IIS_BACKSLASH, pcToken))<BR> {<BR>
= ConfOpt =3D &ServerConf->iis_backslash;<BR> @@ -1583,6 +1593,7 @@<BR> PrintConfOpt(&ServerConf->webroot, = "Web Root Traversal");<BR> = PrintConfOpt(&ServerConf->apache_whitespace, "Apache = WhiteSpace");<BR> PrintConfOpt(&ServerConf->iis_delimiter, = "IIS Delimiter");<BR> + PrintConfOpt(&ServerConf->non_std_cr, = "Non-Std Carriage Return");<BR> <BR> if(ServerConf->iis_unicode_map_filename)<BR> {<BR> <BR> <BR> -----end-----<BR> <BR> <BR> <BR> > -----Original Message-----<BR> > From: snort-devel-admin () lists sourceforge net<BR> > [<A =
HREF=3D"mailto:snort-devel-admin () lists sourceforge net">mailto:snort-deve=
l-admin () lists sourceforge net</A>] On Behalf Of<BR> > Jennifer Steffens<BR> > Sent: Wednesday, May 31, 2006 3:28 PM<BR> > To: snort-devel () lists sourceforge net<BR> > Subject: [Snort-devel] Possible Evasion in http_inspect<BR> ><BR> > Sourcefire is aware of a possible Snort evasion that exists<BR> > in the http_inspect preprocessor. This evasion case only<BR> > applies to protected Apache web servers. We have prepared<BR> > fixes for both the 2.4 and 2.6 branches and will have fully<BR> > tested releases, including binaries, available for both on<BR> > Monday, June 5th.<BR> ><BR> ><BR> > Evasion Details:<BR> ><BR> > The Apache web server supports special characters in HTTP<BR> > requests that do not affect the processing of the particular<BR> > request. The current target-based profiles for Apache in = the<BR> > http_inspect preprocessor do not properly handle these<BR> > requests, resulting in the possibility that an attacker can<BR> > bypass detection of rules that use the "uricontent" = keyword<BR> > by embedding special characters in a HTTP request.<BR> ><BR> ><BR> > Background Information:<BR> ><BR> > It is important to note that this is an evasion and not a<BR> > vulnerability.<BR> > This means that while it is possible for an attacker to<BR> > bypass detection, Snort sensors and the networks they protect<BR> > are not at a heightened risk of other attacks.<BR> ><BR> ><BR> > Timeline:<BR> ><BR> > Sourcefire has prepared fixes and is currently finalizing a<BR> > complete round of testing to ensure that the fixes not only<BR> > solve the issue at hand but do not create new bugs as well.<BR> > The following releases, including binaries for Linux and<BR> > Windows deployments, will be available on Monday, June 5th:<BR> ><BR> > * Snort v2.4.5<BR> > * Snort v2.6.0 final<BR> ><BR> ><BR> > Questions:<BR> ><BR> > Any questions regarding these releases can be sent to<BR> > snort-team () sourcefire com.<BR> ><BR> > Thanks,<BR> > Jennifer<BR> ><BR> ><BR> > --<BR> > Jennifer S. Steffens<BR> > Director, Product Management - Snort<BR> > Sourcefire - Security for the Real World<BR> > W: 410.423.1930 | C: 202.409.7707<BR> > www.sourcefire.com | www.snort.org<BR> ><BR> ><BR> ><BR> ><BR> <BR> <BR> <BR> <BR> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C68597.3A19080F-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- consensus on BASE John Newman (May 26)
- Re: consensus on BASE Paul Schmehl (May 26)
- <Possible follow-ups>
- RE: consensus on BASE Drew Burchett (May 27)
- Re: consensus on BASE Bamm Visscher (May 27)
- RE: consensus on BASE Michael Scheidell (May 27)
- Re: consensus on BASE Bamm Visscher (May 27)
- RE: consensus on BASE John Hally (Jun 01)
- RE: consensus on BASE James Affeld (Jun 01)