Snort mailing list archives
Re: [AUTO IP] Re: Question about content
From: Matt Olney <molney () sourcefire com>
Date: Tue, 1 Dec 2009 14:29:53 -0500
One of the list members asked a question about why I chose to add the "nocase" modifier the http_method content match. I thought it was a pretty quality question, so I'm pasting my answer here: "We constrain to buffers, in this case the http_method buffer, to avoid false positives and to increase the speed of detection. This is because the data in the buffer is shorter and we know that we're looking in that data. We nocase to avoid false negatives. For example: [molney@vrt-app-01 ~]$ telnet www.sourcefire.com 80 Trying 68.177.102.22... Connected to www.sourcefire.com (68.177.102.22). Escape character is '^]'. get <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> We spend a lot of time working out evasion cases. It is very, very trivial in many cases to subtly adjust the attack to work with the server and bypass detection. This involves a lot of core body knowledge in the protocols (bmc and phoo are particularly strong in this area) and some testing. An interesting aside: [molney@vrt-app-01 whitehat]$ telnet www.sourcefire.com 80 Trying 68.177.102.22... Connected to www.sourcefire.com (68.177.102.22). Escape character is '^]'. gEt <html><body><h1>500 Internal Server Error</h1></body></html>Connection closed by foreign host. [molney@vrt-app-01 whitehat]$ telnet www.sourcefire.com 80 Trying 68.177.102.22... Connected to www.sourcefire.com (68.177.102.22). Escape character is '^]'. Get <html><body><h1>500 Internal Server Error</h1></body></html>Connection closed by foreign host. We never trust a server to behave in the manner that the RFCs require, nor do we anticipate that clients will only act in the manner the RFCs outline. In fact, our experience shows that there are very few circumstances where vendors are completely RFC compliant and RFC restricted. Hope that answers your question, Matt" ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: Question about content, (continued)
- Re: Question about content Matt Olney (Dec 01)
- Re: Question about content evilghost () packetmail net (Dec 01)
- Re: Question about content Nigel Houghton (Dec 01)
- Re: Question about content Chris Jacob (Dec 01)
- Re: Question about content Matt Olney (Dec 01)
- Re: Question about content evilghost () packetmail net (Dec 01)
- Re: Question about content Alex Kirk (Dec 01)
- Re: Question about content Matt Olney (Dec 01)
- Re: Question about content Paul Schmehl (Dec 01)
- Re: [AUTO IP] Re: Question about content evilghost () packetmail net (Dec 01)
- Re: [AUTO IP] Re: Question about content Paul Schmehl (Dec 01)
- Re: [AUTO IP] Re: Question about content Matt Olney (Dec 01)
- Re: [AUTO IP] Re: [AUTO IP] Re: Question about content evilghost () packetmail net (Dec 01)