Snort mailing list archives
Matching http_cookie content
From: Stephen Reese via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 11 May 2023 15:48:56 -0400
I am having trouble triggering Snort 3 log4j rules which look for a pattern in http_cookie. For the following rule, I would expect something like ${jndi: or similar set to a cookie value would suffice but that does not seem to be the case. Thoughts on why I am unable to trigger the rule using the encoded or unencoded value that seems to meet the regex criteria? alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"jndi",fast_pattern,nocase; http_cookie; content:"jndi",nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58726; rev:6; ) Python to trigger the request: import logging import socket from scapy.all import * from scapy.layers.http import HTTPRequest logging.getLogger("scapy.runtime").setLevel(logging.ERROR) target_ip = "192.168.208.167" target_port = 80 # The cookie value to trigger the Snort rule with sid 58726 and rev 6 cookie_name = "jndi" #cookie_value = "${jndi:" cookie_value = "%24%7bjndi%3a" def send_request(cookie_name, cookie_value): http_request = HTTPRequest( Method=b"GET", Path=b"/", Host=bytes(target_ip, encoding="utf-8"), User_Agent=b"Mozilla/5.0", Accept=b"*/*", Connection=b"keep-alive", Cookie=f"{cookie_name}={cookie_value}" ) http_request_raw = raw(http_request) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, target_port)) sock.sendall(http_request_raw) response = sock.recv(4096) sock.close() print(response) print("Triggered Snort rule with sid: 58726, rev: 6") send_request(cookie_name, cookie_value) WireShark stream: GET / HTTP/1.1 Accept: */* Connection: keep-alive Cookie: vulnerable_cookie=%24%7bjndi%3a Host: 192.168.208.167 User-Agent: Mozilla/5.0 HTTP/1.1 200 OK Content-Length: 258 Date: Thu, 11 May 2023 19:45:09 GMT Content-Type: text/html Server: INetSim HTTP Server Connection: Close <html> <head> <title>INetSim default HTML page</title> </head> <body> <p></p> <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p> <p align="center">This file is an HTML document.</p> </body> </html>
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Matching http_cookie content Stephen Reese via Snort-sigs (May 12)
- Re: Matching http_cookie content Alex Tatistcheff via Snort-sigs (May 12)