Re: http_inspect tuning issue

[Joel Esler <jesler () sourcefire com>]

Suppress it.  That's the easiest way to get rid of the alert if you find it
produces no actionable information for you.

On Tue, Jul 3, 2012 at 10:13 AM, Castle, Shane <scastle () bouldercounty org>wrote:

> I want to tune then out because they seem to be completely useless. No
> info other than the bald message is ever given, no packet in which the
> offense occurred is captured by Snort as part of the process, and if the
> NSM logs are searched for the corresponding event then you see something
> like this:
> ------------------------------------------------------------------------
> POST /dgw?imei=TEST&apptype=finance&src=HTC01 HTTP/1.1
> User-Agent: curl/7.19.0 (i586-pc-mingw32msvc) libcurl/7.19.0 zlib/1.2.3
> Content-Type: text/xml
> Content-Length: 335
> Host: api.htc.go.yahoo.com
> Connection: Keep-Alive
>
> <?xml version="1.0" encoding="UTF-8"?>
> <request devtype="HTC_Model" deployver="HTCFinanceWidget 0.1"
> app="HTCFinanceWidget" appver="0.1.0" api="finance" apiver="1.0.1"
> acknotification="0000">
> <query id="0" timestamp="0" type="getquotes">
>
> <list><symbol>^DJI</symbol><symbol>^GSPC</symbol><symbol>^IXIC</symbol></list></query>
> </request>
>
> HTTP/1.1 200 OK
> Date: Mon, 02 Jul 2012 22:18:56 GMT
> X-YSTATUS: 200
> Vary: Accept-Encoding
> Connection: close
> Transfer-Encoding: chunked
> Content-Type: text/plain;charset=UTF-8
> Cache-Control: private
>
> 576
> <?xml version="1.0" encoding="UTF-8"?><response><result type="getquotes"
> timestamp="1341267536"><list count="3" total="3"><quote><name>Dow Jones
> Industrial
> Average</name><symbol>^DJI</symbol><exchange>DJI</exchange><status>0</status><timestamp>1341259357</timestamp><price>12871.389648</price><change>-8.700195</change><changepercent>-0.067548</changepercent><open>12879.709961</open><high>12902.120117</high><low>12795.480469</low><volume>109643561</volume><marketcap>N/A</marketcap><link>
> http://m.yahoo.com/s/htcwf/yfinance/quote/^DJI/</link></quote><quote><name>S&amp;P
> 500</name><symbol>^GSPC</symbol><exchange>SNP</exchange><status>0</status><timestamp>1341261519</timestamp><price>1365.510010</price><change>3.349976</change><changepercent>0.245931</changepercent><open>1362.329956</open><high>1366.349976</high><low>1355.699951</low><volume>544915121</volume><marketcap>N/A</marketcap><link>
> http://m.yahoo.com/s/htcwf/yfinance/quote/^GSPC/</link></quote><quote><name>NASDAQ
> Composite</name><symbol>^IXIC</symbol><exchange>Nasdaq</exchange><status>0</status><timestamp>1341263923</timestamp><price>2951.229980</price><change>16.180000</change><changepercent>0.551268</changepercent><open>2938.409912</open><high>2951.229980</high><low>2925.709961</low><volume>0</volume><marketcap>N/A</marketcap><link>
> http://m.yahoo.com/s/htcwf/yfinance/quote/
> ^IXIC/</link></quote></list></result></response>
>
> 0
> ------------------------------------------------------------------------
> Here's another one:
> ------------------------------------------------------------------------
> GET / HTTP/1.1
> Accept: */*
> Accept-Language: en-us
> UA-CPU: x86
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB7.3;
> .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
> 3.5.30729; .NET4.0C; .NET4.0E)
> Host: my-cdhs.state.co.us
> Connection: Keep-Alive
> Cookie: GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true;
> LOGIN="cn=greenxrj,ou=hsp,ou=bda,ou=nc,o=cty"
>
> HTTP/1.1 302 Moved Temporarily
> Location: https://my-cdhs.state.co.us/
> Connection: close
> Cache-Control: no-cache
> Pragma: no-cache
> ------------------------------------------------------------------------
> Now, what's the point of this alert? Even if there is actually an error in
> the HTTP conversation (which there does seem to be, but I can't see the
> issue in the second example) there is nothing harmful or malicious here.
> One thing I do notice: many of the servers belong to Yahoo. If I could tune
> out just those I think I could reduce my noise. But I still think that
> fundamentally 120:8 is useless and I'm going to try thresholding it so I
> don't see it anymore.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 () windstream net]
> Sent: Monday, July 02, 2012 23:31
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] http_inspect tuning issue
>
> On 7/2/2012 18:53, Castle, Shane wrote:
> > I am getting thousands of 120:8 alerts (http_inspect: MESSAGE WITH
> INVALID CONTENT-LENGTH OR CHUNK SIZE) and I can't figure out how to tune
> http_inspect so that they aren't triggered. Any info on this would be
> appreciated.
>
> why would you want to tune them out? what do your pcaps (packet captures)
> show?
> this, to me, stinks of some sort of consolidated attack on your servers or
> possibly of trying to use them in an attack against another server or
> servers...
>
> i say this while looking at the thousands of attacks that my systems repel
> every
> day which are trying to use my servers against other servers... the main
> key
> factor in my case is that they are caught and automatically blocked before
> they
> can infiltrate my servers... yes, this is "slightly" against the normal
> flow
> processing of monitoring IDS/IPS alerts but it is the process that i and
> those i
> support have chosen ;)
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!