Snort mailing list archives
Re: protected_content and replace?
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 27 Oct 2014 17:45:31 -0400
Hmm, the manual needs to state that then. It has no mentions that I can find that 'replace' is invalid with the http modifiers for either 'content' or 'protected_content'. The source code has these checks, however, in both sp_replace.c and sp_pattern_match.c. A quick fix for you guys to bug: src/detection-plugins/sp_ceplace.c:64 in PayloadReplaceInit() if ( lastType == PLUGIN_PATTERN_MATCH_URI ) { FatalError("%s(%d) => \"replace\" option is not supported " "with uricontent, nor in conjunction with http_uri, " "http_header, http_method http_cookie," "http_raw_uri, http_raw_header, or " "http_raw_cookie modifiers.\n", file_name, file_line); } This text needs to include 'http_stat_code', 'http_stat_method', and 'http_client_body'. Has any thought been given to allowing 'length' to accept byte_extract variables? Btw, wouldn't 'replace' offer another bypass of protected_content? I.e., given the below: protected_content:"901890A8E9C8CF6D5A1A542B229FEBFF"; length:3; hash:md5; replace:"XXX"; One could simulate network traffic until the replaced characters appear in the packet, then the modified packet and original packet compared and the original content match derived. And then a speedier, more efficient fast_pattern rule created in its place ;) Cheers!, --J On 10/27/2014 09:45, Carter Waxman (cwaxman) wrote:
Hi Joshua, The replace modifier works with protected_content in the same way it works with content. It will work with regular payload matches, but not URI/HTTP buffer matches. Thanks, Carter Waxman On 10/25/14, 11:47 PM, "Joshua Kinard" <kumba () gentoo org> wrote:I see this note in the manual for protected_content: The protected content keyword can be used with some (but not all) of the content modifiers. Those not supported include: nocase fast_pattern depth within I assume 'replace' should be on that list as well? It's always been in a different section of the manual, but it seems to behave like a modifier keyword, since it affects the previous content match.
-- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- protected_content and replace? Joshua Kinard (Oct 25)
- Re: protected_content and replace? Carter Waxman (cwaxman) (Oct 27)
- Re: protected_content and replace? Joshua Kinard (Oct 27)
- Re: protected_content and replace? Carter Waxman (cwaxman) (Oct 27)