Bug #124

Using the http_cookie keyword seems to cause a match on all packets.

Added by Will Metcalf about 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:03/25/2010
Priority:NormalDue date:05/14/2010
Assignee:Victor Julien% Done:

100%

Category:-Estimated time:0.00 hour
Target version:0.9.1

Description

The attached pcap contains a total of 30 packets. I get 30 alerts which includes the packets that are part of the tcp TWH. Also it should be noted that snort begins it's normalized buffer for http_cookie with "Cookie: " and not the parsed value.

Regards,

Will

================
TIME: 03/08/10-03:19:54.179765
ALERT CNT: 1
ALERT MSG [00]: http_cookie 1
ALERT GID [00]: 1
ALERT SID [00]: 68
ALERT REV [00]: 1
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 3
SRC IP: 192.168.100.17
DST IP: 96.43.130.5
PROTO: 6
SRC PORT: 38111
DST PORT: 80
FLOW: to_server: TRUE, to_client FALSE
PACKET LEN: 74
PACKET:
0000 00 12 17 26 CD 4B 00 1F 3C 6C C7 2D 08 00 45 00 ...&.K.. <l.-..E.
0010 00 3C 14 9F 40 00 40 06 1F 33 C0 A8 64 11 60 2B .<.... .3..d.`

0020 82 05 94 DF 00 50 9B EB C4 22 00 00 00 00 A0 02 .....P.. ."......
0030 16 D0 63 94 00 00 02 04 05 B4 04 02 08 0A 00 B6 ..c..... ........
0040 D0 BD 00 00 00 00 01 03 03 07 ........ ..
================
TIME: 03/08/10-03:19:54.242206
ALERT CNT: 1
ALERT MSG [00]: http_cookie 1
ALERT GID [00]: 1
ALERT SID [00]: 68
ALERT REV [00]: 1
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 3
SRC IP: 192.168.100.17
DST IP: 96.43.130.5
PROTO: 6
SRC PORT: 38111
DST PORT: 80
FLOW: to_server: TRUE, to_client FALSE
PACKET LEN: 66
PACKET:
0000 00 12 17 26 CD 4B 00 1F 3C 6C C7 2D 08 00 45 00 ...&.K.. <l.-..E.
0010 00 34 14 A0 40 00 40 06 1F 3A C0 A8 64 11 60 2B .4.... .:..d.`

0020 82 05 94 DF 00 50 9B EB C4 23 F8 48 C9 E3 80 10 .....P.. .#.H....
0030 00 2E CC 80 00 00 01 01 08 0A 00 B6 D0 C3 43 C6 ........ ......C.
0040 D6 78 .x
+================
TIME: 03/08/10-03:19:54.242506

alert tcp any any -> any any (msg:"http_cookie 1 "; content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703"; http_cookie; classtype:bad-unknown; sid:68; rev:1;)

oisfsearchnums.pcap - oisf site search for a string of numbers (17.8 KB) Will Metcalf, 03/25/2010 07:35 PM

History

#1 Updated by Victor Julien about 4 years ago

  • Assignee changed from OISF Dev to Victor Julien
  • Estimated time changed from 2.50 to 0.00

Issue seems related to the app layer detection issues we discussed in Istanbul. Will be addressed in a task.

#2 Updated by Victor Julien about 4 years ago

  • Due date changed from 03/28/2010 to 04/30/2010
  • Target version changed from 0.8.2 to 0.9.0

#3 Updated by Will Metcalf almost 4 years ago

Seems this happens with uricontent as well. As you can see in the packet below there is no uricontent but we still fire

+================
TIME: 01/04/10-17:29:26.927852
ALERT CNT: 5
ALERT MSG [00]: uricontent with depth
ALERT GID [00]: 1
ALERT SID [00]: 11
ALERT REV [00]: 1
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 3
ALERT MSG [01]: uricontent match for ALLWorkAndnoplay with nocase modifier against AllWorkAndNoPlay
ALERT GID [01]: 1
ALERT SID [01]: 2
ALERT REV [01]: 1
ALERT CLASS [01]: Potentially Bad Traffic
ALERT PRIO [01]: 3
ALERT MSG [02]: uricontent match for AndNoPlayMakesWillADullBoy with offset modifier
ALERT GID [02]: 1
ALERT SID [02]: 21
ALERT REV [02]: 1
ALERT CLASS [02]: Potentially Bad Traffic
ALERT PRIO [02]: 3
ALERT MSG [03]: uricontent match for AndNoPlayMakesWillADullBoy with offset and depth modifier
ALERT GID [03]: 1
ALERT SID [03]: 22
ALERT REV [03]: 1
ALERT CLASS [03]: Potentially Bad Traffic
ALERT PRIO [03]: 3
ALERT MSG [04]: multi-uricontent match for AndNoPlayMakesWillADullBoy with offset modifier
ALERT GID [04]: 1
ALERT SID [04]: 23
ALERT REV [04]: 1
ALERT CLASS [04]: Potentially Bad Traffic
ALERT PRIO [04]: 3
SRC IP: 209.85.225.105
DST IP: 192.168.2.3
PROTO: 6
SRC PORT: 80
DST PORT: 39867
FLOW: to_server: FALSE, to_client TRUE
PACKET LEN: 74
PACKET:
0000 00 24 E8 29 FA 4F 00 04 76 D3 D8 6A 08 00 45 00 .$.).O.. v..j..E.
0010 00 3C 9F E6 00 00 33 06 72 6B D1 55 E1 69 C0 A8 .<....3. rk.U.i..
0020 02 03 00 50 9B BB 22 FC 27 81 66 52 07 C2 A0 12 ...P..". '.fR....
0030 16 28 F1 4B 00 00 02 04 05 96 04 02 08 0A 52 12 .(.K.... ......R.
0040 53 9C 00 87 D0 5D 01 03 03 06 S....].. ..
+================

#4 Updated by Victor Julien almost 4 years ago

  • Due date changed from 04/30/2010 to 05/14/2010
  • Target version changed from 0.9.0 to 0.9.1

It's related to the applayer detection, thus to all related keywords. I'm working on a fix for this.

#5 Updated by Victor Julien almost 4 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Fixed in current master.

Also available in: Atom PDF