Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules

[Scott Savarese <scott.savarese () vitals com>]

I'm really new to Snort. Now that I have it up and running I'm starting to
clean up the rules I have. I found one rule that I want to keep enabled,
but is broken:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE
Apache mod_rpaf x-forwarded-for header denial of service attempt";
flow:to_server,established; content:"X-Forwarded-For|3A| ";
fast_pattern:only; http_header;
pcre:!"/X-Forwarded-For\x3a\s(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i";
metadata:service http; reference:cve,2012-3526;
classtype:web-application-attack; sid:24348; rev:3;)

It looks like it looks for the X-Forwarded-For header and then a single
space and then an IP address. However, I'm seeing thousands of hits that
generate an alert for this rule.

   - Multiple spaces after the : and before the IP address starts
   - IPv6 IP addresses
   - The keyword "known" (see
   http://www.squid-cache.org/Doc/config/forwarded_for/ to see why it is OK)
   - Multiple tokens in the line such as IPv6 IP then a comma then the IPv4
   IP
   - Blank lines

Some examples from my tcpdump of the caught packets:

X-Forwarded-For: , 1.2.3.4

X-Forwarded-For:

X-Forwarded-For: 10.16.72.23, unknown

X-Forwarded-For: unknown

X-Forwarded-For: 2600:9010:a127:35f6:e557:8aa4:fb56:65ec

X-Forwarded-For: 2600:9010:a127:35f6:e557:8aa4:fb56:65ec, 2.3.4.5

X-FORWARDED-FOR:  3.4.5.6



I think I found a good pcre that would match the above.

pcre:!"/X-Forwarded-For\x3a(\s|,|unknown|
(((?=.*(::))(?!.*\3.+\3))\3?|([\dA-F]{1,4}(\3|:\b|$)|\2))(?4){5}((?4){2}|(((2[0-4]|1\d|[1-9])?\d|25[0-5])\.?\b){4})\z
|(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))+/i”


Breaking it down on separate lines for clarity:

/X-Forwarded-For\x3a <-- Start with X-Forwarded-For: always,then 1 or more
of the following tokens
(\s| *<--* space
,| *<--* A comma
unknown| *<--* The keyword unknown
(((?=.*(::))(?!.*\3.+\3))\3?|([\dA-F]{1,4}(\3|:\b|$)|\2))(?4){5}((?4){2}|(((2[0-4]|1\d|[1-9])?\d|25[0-5])\.?\b){4})\z|
*<--* A IPv6 IP (regex from http://home.deds.nl/~aeron/regex/)

(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
*<--* IPv4 IP

)+/i *<--* Case insensitive everything


Can you please let me know your thoughts or if there is a better way?

Thanks,
Scott

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!