Re: HttpInpsect/HTTP preprocessor: false positives HI_CLISRV_MSG_SIZE_EXCEPTION

[Russ Combs <rcombs () sourcefire com>]

On Tue, Aug 20, 2013 at 3:12 AM, Bram <bram-fabeg () mail wizbit be> wrote:

> Hi Russ,
>
>
> When I reported it I was using snort 2.9.5.
> I just retested it with snort 2.9.5.3 (compiled with -O0 and without
> patches) and it behaves the same.
>
> Mentioning it just in case: did you fix the original config? to trigger
> this with the '120_8_2_80.cap' file the config ('preprocessor stream5_tcp')
> needs to be fixed...

Yes, I did use the corrected config.  I'll try again.

> To avoid any confusion:
>
> $ snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.5.3 GRE (Build 132)
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/*
> *snort-team <http://www.snort.org/snort/snort-team>
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.3.0
>            Using PCRE version: 8.32 2012-11-30
>            Using ZLIB version: 1.2.8
>
>
> (fixed) config:
>
>         dynamicpreprocessor directory /usr/lib/snort_**
> dynamicpreprocessor/
>         preprocessor stream5_global: \
>            track_tcp yes, \
>            track_udp no, \
>            track_icmp no
>         preprocessor stream5_tcp: policy first, ports both 80 8080
>
>
>         preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535
>         preprocessor http_inspect_server: server default \
>             http_methods { GET HEAD POST PUT SEARCH MKCOL COPY MOVE LOCK
> UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE
> TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>             chunk_length 500000 \
>             server_flow_depth 0 \
>             client_flow_depth 0 \
>             post_depth 65495 \
>             oversize_dir_length 500 \
>             max_header_length 4096 \
>             max_headers 100 \
>             max_spaces 0 \
>             small_chunk_length { 10 5 } \
>             ports { 80 7000 8080 } \
>             non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>             enable_cookie \
>             extended_response_inspection \
>             inspect_gzip \
>             normalize_utf \
>             unlimited_decompress \
>             normalize_javascript \
>             apache_whitespace no \
>             ascii no \
>             bare_byte no \
>             directory no \
>             double_decode no \
>             iis_backslash no \
>             iis_delimiter no \
>             iis_unicode no \
>             multi_slash no \
>             utf_8 no \
>             u_encode yes \
>             webroot no
>
>         alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"**; sid: 8; gid: 120;
> rev: 2; metadata: rule-type preproc; )
>         alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1;
> metadata: rule-type preproc ;  )
>
>         output alert_fast: stdout
>
>
> Running it:
>
>
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/120_8_2_80.cap 2>&1  | grep '120:'
>         08/12-18:21:01.997838  [**] [120:8:2] (http_inspect) INVALID
> CONTENT-LENGTH OR CHUNK SIZE [**] [Priority: 0] {TCP}
> 192.168.173.153:43668 -> 192.168.173.1:80
>         08/12-18:21:01.997452  [**] [120:3:1] (http_inspect) NO
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 0]
> {TCP} 192.168.173.1:80 -> 192.168.173.153:43668
>
> Comparing 'src/preprocessors/**HttpInspect/utils/hi_paf.c' between snort
> 2.9.5 and snort 2.9.5.3 shows no relevant change..
> So this behaviour should be reproducible on both 2.9.5 and 2.9.5.3 (as
> shown above).
>
>
> Best regards,
>
> Bram
>
>
> Quoting Russ Combs <rcombs () sourcefire com>:
>
> > Hey Bram - which version of Snort are you running?  I'm only getting 120:3
> > with 295-132.
> >
> > On Fri, Aug 16, 2013 at 8:55 AM, Russ Combs <rcombs () sourcefire com>
> > wrote:
> >
> >  Thanks for reporting this.  I will investigate and get back to you.
> > > Russ
>
>
> ------------------------------**------------------------------**----
> This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!