Snort mailing list archives

Re: Falses on 2011032/ET SCAN HTTP POST invalid method case?

From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 23 Mar 2012 11:09:40 -0400

Can you send a pcap?  That will help isolate any segmentation issues.

On Thu, Mar 22, 2012 at 4:02 PM, livio Ricciulli <livio () metaflows com>wrote:

PF_RING hashes the packet header and load balances according to the
5-tuple. I do not think PF_RING is causing this issue. if it was,
nothing else would work..

On 03/22/2012 06:32 AM, Packet Hack wrote:

I seem to be getting falses on this where the HTTP headers
are not present, but a non-all-upcase 'post' appears in the
body.

1) I would think that a 'post' not at the beginning of the of the packet
   wouldn't get flagged as an HTTP method

2) I'm doing load-balancing with the PF_RING DAQ and I
    was wondering if perhaps that would chop up the flows
    so different snort processes would get chunks from the
    same TCP stream, so the snort process that received this
    packet wouldn't know it wasn't the first packet in the stream.
    However, I'm also seeing this on a non-PF_RING-enabled
    host.

Snort info:

  - version 2.9.2.1

  - configure flags: CFLAGS="-O2 -I/opt/local/include"
    LDFLAGS="-L/opt/local/lib -Wl,-rpath=/opt/local/lib" ./configure
    --prefix=/opt/pf --enable-ipv6 --enable-zlib --enable-reload
    --enable-flexresp3  --with-libpfring-includes=/opt/local/include
    --with-libpfring-libraries=/opt/local/lib --enable-perfprofiling

  - 1 PFRING-enabled sensor:
     uname -a:
       Linux<server name>
       2.6.38-13-server #52-Ubuntu SMP Tue Nov 8 17:11:08 UTC 2011
       x86_64 x86_64 x86_64 GNU/Linux
     CL:
       /opt/local/bin/snort -i eth5 --daq-dir=/opt/local/lib/daq --daq
       pfring --daq-var clusterid=44 --daq-var bindcpu=3
       -c /etc/snort/ufirt-snort-pf-ewan.conf -l /var/log/snort3 -R 3
     Rules: 2865 ET and local rules

  - 1 non-PFRING-enabled sensor:
     uname -a:
       Linux<server name>  2.6.32-33-server #72-Ubuntu SMP
       Fri Jul 29 21:21:55 UTC 2011 x86_64 GNU/Linux
     CL:
       /opt/local/bin/snort -D -i eth1 --daq-dir=/opt/local/lib/daq

--daq pcap

       --daq-var clusterid=44 --daq-var bindcpu=1
       -c /etc/snort/ufirt-snort-pf.conf -l /var/log/snort1 -R 1
     Rules: 3452 ET and local rules

Offending rule:

  alert tcp $EXTERNAL_NET any ->  $HOME_NET $HTTP_PORTS (msg:"ET SCAN
  HTTP POST invalid method case"; flow:established,to_server;
  content:"post"; http_method; nocase; content:!"POST"; http_method;
  reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
  reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown;
  sid:2011032; rev:4;)

Actual text has been replaced with "<text>" .

Pleae let me know if you need anything else.

-- pckthck

-------------------- Payloads --------------------

ET SCAN HTTP POST invalid method case

    <text>

    ------WebKitFormBoundaryPDAhvzaUEdiWukiR
    Content-Disposition: form-data; name="format"

    1
    ------WebKitFormBoundaryPDAhvzaUEdiWukiR
    Content-Disposition: form-data; name="subscribe"

    1
    ------WebKitFormBoundaryPDAhvzaUEdiWukiR
    Content-Disposition: form-data; name="attachment"; filename=""


    ------WebKitFormBoundaryPDAhvzaUEdiWukiR
    Content-Disposition: form-data; name="submitbutton"

    Post to forum
    ------WebKitFormBoundaryPDAhvzaUEdiWukiR--

ET SCAN HTTP POST invalid method case

    Post to forum
    ------WebKitFormBoundarynriRWnylbxwtaofB--

ET SCAN HTTP POST invalid method case

    77098235644401115438165
    Content-Disposition: form-data; name="message"

    <text>
    -----------------------------20072377098235644401115438165
    Content-Disposition: form-data; name="format"

    1
    -----------------------------20072377098235644401115438165
    Content-Disposition: form-data; name="subscribe"

    0
    -----------------------------20072377098235644401115438165
    Content-Disposition: form-data; name="attachment"; filename=""
    Content-Type: application/octet-stream


    -----------------------------20072377098235644401115438165
    Content-Disposition: form-data; name="submitbutton"

    Post to forum
    -----------------------------20072377098235644401115438165--

ET SCAN HTTP POST invalid method case

    4414578508781458777923
    Content-Disposition: form-data; name="menu-item-description[44]"


    -----------------------------10102754414578508781458777923
    Content-Disposition: form-data; name="menu-item-db-id[44]"

    44
    -----------------------------10102754414578508781458777923
    Content-Disposition: form-data; name="menu-item-object-id[44]"

    43
    -----------------------------10102754414578508781458777923
    Content-Disposition: form-data; name="menu-item-object[44]"

    page
    -----------------------------10102754414578508781458777923
    Content-Disposition: form-data; name="menu-item-parent-id[44]"

    0
    -----------------------------10102754414578508781458777923
    Content-Disposition: form-data; name="menu-item-position[44]"

    3
    -----------------------------10102754414578508781458777923
    Content-Disposition: form-data; name="menu-item-type[44]"

    post_type
    -----------------------------10102754414578508781458777923
    Content-Disposition: form-data; name="save_menu"

    Save Menu
    -----------------------------10102754414578508781458777923
    Content-Disposition: form-data; name="menu-locations[primary]"

    3
    -----------------------------10102754414578508781458777923--

------------------------------------------------------------------------------

This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!




------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Falses on 2011032/ET SCAN HTTP POST invalid method case? Packet Hack (Mar 22)
- Re: Falses on 2011032/ET SCAN HTTP POST invalid method case? livio Ricciulli (Mar 22)
  - Re: Falses on 2011032/ET SCAN HTTP POST invalid method case? Russ Combs (Mar 23)
    - Re: Falses on 2011032/ET SCAN HTTP POST invalid method case? Packet Hack (Mar 26)