Snort mailing list archives
Re: Falses on 2011032/ET SCAN HTTP POST invalid method case?
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 23 Mar 2012 11:09:40 -0400
Can you send a pcap? That will help isolate any segmentation issues. On Thu, Mar 22, 2012 at 4:02 PM, livio Ricciulli <livio () metaflows com>wrote:
PF_RING hashes the packet header and load balances according to the 5-tuple. I do not think PF_RING is causing this issue. if it was, nothing else would work.. On 03/22/2012 06:32 AM, Packet Hack wrote:I seem to be getting falses on this where the HTTP headers are not present, but a non-all-upcase 'post' appears in the body. 1) I would think that a 'post' not at the beginning of the of the packet wouldn't get flagged as an HTTP method 2) I'm doing load-balancing with the PF_RING DAQ and I was wondering if perhaps that would chop up the flows so different snort processes would get chunks from the same TCP stream, so the snort process that received this packet wouldn't know it wasn't the first packet in the stream. However, I'm also seeing this on a non-PF_RING-enabled host. Snort info: - version 2.9.2.1 - configure flags: CFLAGS="-O2 -I/opt/local/include" LDFLAGS="-L/opt/local/lib -Wl,-rpath=/opt/local/lib" ./configure --prefix=/opt/pf --enable-ipv6 --enable-zlib --enable-reload --enable-flexresp3 --with-libpfring-includes=/opt/local/include --with-libpfring-libraries=/opt/local/lib --enable-perfprofiling - 1 PFRING-enabled sensor: uname -a: Linux<server name> 2.6.38-13-server #52-Ubuntu SMP Tue Nov 8 17:11:08 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux CL: /opt/local/bin/snort -i eth5 --daq-dir=/opt/local/lib/daq --daq pfring --daq-var clusterid=44 --daq-var bindcpu=3 -c /etc/snort/ufirt-snort-pf-ewan.conf -l /var/log/snort3 -R 3 Rules: 2865 ET and local rules - 1 non-PFRING-enabled sensor: uname -a: Linux<server name> 2.6.32-33-server #72-Ubuntu SMP Fri Jul 29 21:21:55 UTC 2011 x86_64 GNU/Linux CL: /opt/local/bin/snort -D -i eth1 --daq-dir=/opt/local/lib/daq--daq pcap--daq-var clusterid=44 --daq-var bindcpu=1 -c /etc/snort/ufirt-snort-pf.conf -l /var/log/snort1 -R 1 Rules: 3452 ET and local rules Offending rule: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post"; http_method; nocase; content:!"POST"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:4;) Actual text has been replaced with "<text>" . Pleae let me know if you need anything else. -- pckthck -------------------- Payloads -------------------- ET SCAN HTTP POST invalid method case <text> ------WebKitFormBoundaryPDAhvzaUEdiWukiR Content-Disposition: form-data; name="format" 1 ------WebKitFormBoundaryPDAhvzaUEdiWukiR Content-Disposition: form-data; name="subscribe" 1 ------WebKitFormBoundaryPDAhvzaUEdiWukiR Content-Disposition: form-data; name="attachment"; filename="" ------WebKitFormBoundaryPDAhvzaUEdiWukiR Content-Disposition: form-data; name="submitbutton" Post to forum ------WebKitFormBoundaryPDAhvzaUEdiWukiR-- ET SCAN HTTP POST invalid method case Post to forum ------WebKitFormBoundarynriRWnylbxwtaofB-- ET SCAN HTTP POST invalid method case 77098235644401115438165 Content-Disposition: form-data; name="message" <text> -----------------------------20072377098235644401115438165 Content-Disposition: form-data; name="format" 1 -----------------------------20072377098235644401115438165 Content-Disposition: form-data; name="subscribe" 0 -----------------------------20072377098235644401115438165 Content-Disposition: form-data; name="attachment"; filename="" Content-Type: application/octet-stream -----------------------------20072377098235644401115438165 Content-Disposition: form-data; name="submitbutton" Post to forum -----------------------------20072377098235644401115438165-- ET SCAN HTTP POST invalid method case 4414578508781458777923 Content-Disposition: form-data; name="menu-item-description[44]" -----------------------------10102754414578508781458777923 Content-Disposition: form-data; name="menu-item-db-id[44]" 44 -----------------------------10102754414578508781458777923 Content-Disposition: form-data; name="menu-item-object-id[44]" 43 -----------------------------10102754414578508781458777923 Content-Disposition: form-data; name="menu-item-object[44]" page -----------------------------10102754414578508781458777923 Content-Disposition: form-data; name="menu-item-parent-id[44]" 0 -----------------------------10102754414578508781458777923 Content-Disposition: form-data; name="menu-item-position[44]" 3 -----------------------------10102754414578508781458777923 Content-Disposition: form-data; name="menu-item-type[44]" post_type -----------------------------10102754414578508781458777923 Content-Disposition: form-data; name="save_menu" Save Menu -----------------------------10102754414578508781458777923 Content-Disposition: form-data; name="menu-locations[primary]" 3 -----------------------------10102754414578508781458777923--------------------------------------------------------------------------------This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Falses on 2011032/ET SCAN HTTP POST invalid method case? Packet Hack (Mar 22)
- Re: Falses on 2011032/ET SCAN HTTP POST invalid method case? livio Ricciulli (Mar 22)
- Re: Falses on 2011032/ET SCAN HTTP POST invalid method case? Russ Combs (Mar 23)
- Re: Falses on 2011032/ET SCAN HTTP POST invalid method case? Packet Hack (Mar 26)
- Re: Falses on 2011032/ET SCAN HTTP POST invalid method case? Russ Combs (Mar 23)
- Re: Falses on 2011032/ET SCAN HTTP POST invalid method case? livio Ricciulli (Mar 22)