Snort mailing list archives
Re: BUG: corner case involving http_cookie
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 24 Mar 2010 13:50:35 -0500
You guy's may not care but I found this sort of interesting. From what I have seen the way snort normally deals with invalid content/modifier combinations is that if it will attempt to apply the specified modifer to the last content match specified in the rule that it considers valid. If no previous content match it considers valid can be found it errors out with some error like.... "please specify a content match" or something. With the exception of http_uri it appears as if you wedge a uricontent match between http_* and valid previous content match the keyword is simply ignored. So while I realize there is no valid use case here, this behavior is inconsistent with the way that snort tries to silently fix typos. Regards, Will #test 69 http_cookie. uricontent #:::69:::N:::uricontent,http_cookie:::oisfsearchnums.pcap:::http_cookie.rules:::69 #very odd the following sig fails if depth is used in combination with a http_cookie modifer with uricontent wedged in-between. If http_cookie is moved to the other side of the uricontent match the sig fires or if the depth/offset modifer is removed the sig fires. It appears as if in this corner case http_cookie is ignored. This behavior differs from most content modifiers as it is ignored instead of applied to a valid previous match. # #file oisfsearchnums.pcap #alert tcp any any -> any any (msg:"e6504ae48c99f09df7f58996aacbb6b0 with uricontent + http_cookie"; content:"e6504ae48c99f09df7f58996aacbb6b0"; offset:563; depth:32; uricontent:"/index.php/component/search/index.php"; http_cookie; classtype:bad-unknown; sid:69; rev:1;) ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: BUG: corner case involving http_cookie, (continued)
- Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie Steven Sturges (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 10)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 11)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 15)
- Re: BUG: corner case involving http_cookie Steven Sturges (Mar 15)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 15)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 17)
- Re: BUG: corner case involving http_cookie Will Metcalf (Mar 24)