Snort mailing list archives
Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules
From: Scott Savarese <scott.savarese () vitals com>
Date: Thu, 8 Jan 2015 07:58:11 -0500
I'm really new to Snort. Now that I have it up and running I'm starting to clean up the rules I have. I found one rule that I want to keep enabled, but is broken: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt"; flow:to_server,established; content:"X-Forwarded-For|3A| "; fast_pattern:only; http_header; pcre:!"/X-Forwarded-For\x3a\s(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i"; metadata:service http; reference:cve,2012-3526; classtype:web-application-attack; sid:24348; rev:3;) It looks like it looks for the X-Forwarded-For header and then a single space and then an IP address. However, I'm seeing thousands of hits that generate an alert for this rule. - Multiple spaces after the : and before the IP address starts - IPv6 IP addresses - The keyword "known" (see http://www.squid-cache.org/Doc/config/forwarded_for/ to see why it is OK) - Multiple tokens in the line such as IPv6 IP then a comma then the IPv4 IP - Blank lines Some examples from my tcpdump of the caught packets: X-Forwarded-For: , 1.2.3.4 X-Forwarded-For: X-Forwarded-For: 10.16.72.23, unknown X-Forwarded-For: unknown X-Forwarded-For: 2600:9010:a127:35f6:e557:8aa4:fb56:65ec X-Forwarded-For: 2600:9010:a127:35f6:e557:8aa4:fb56:65ec, 2.3.4.5 X-FORWARDED-FOR: 3.4.5.6 I think I found a good pcre that would match the above. pcre:!"/X-Forwarded-For\x3a(\s|,|unknown| (((?=.*(::))(?!.*\3.+\3))\3?|([\dA-F]{1,4}(\3|:\b|$)|\2))(?4){5}((?4){2}|(((2[0-4]|1\d|[1-9])?\d|25[0-5])\.?\b){4})\z |(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))+/i” Breaking it down on separate lines for clarity: /X-Forwarded-For\x3a <-- Start with X-Forwarded-For: always,then 1 or more of the following tokens (\s| *<--* space ,| *<--* A comma unknown| *<--* The keyword unknown (((?=.*(::))(?!.*\3.+\3))\3?|([\dA-F]{1,4}(\3|:\b|$)|\2))(?4){5}((?4){2}|(((2[0-4]|1\d|[1-9])?\d|25[0-5])\.?\b){4})\z| *<--* A IPv6 IP (regex from http://home.deds.nl/~aeron/regex/) (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) *<--* IPv4 IP )+/i *<--* Case insensitive everything Can you please let me know your thoughts or if there is a better way? Thanks, Scott
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules Scott Savarese (Jan 08)