Bug #229
closedGzip & Chunk encoding issue
Description
The follow sig goes along with scanner-clean.pcap:
alert tcp any any > any any (msg:"EID FAKEAV scanner page encountered - Initializing Virus Protection System..."; content:"Virus Protection
System"; classtype:bad-unknown; sid:5600106; rev:2;)
This sig goes with the iframe.pcap:
alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served
by nginx 2"; content:"iframe"; nocase; classtype:bad-unknown;
sid:5600066; rev:1;)
failed to fire on the attached pcaps.
Files
Updated by Gurvinder Singh over 14 years ago
1. The sig provided are scanning the content keyword, where as the content which they intent to scan is in gzip format. So to detect correctly the attack, there should be app layer keyword with it. The correct sig for iframe will be
alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served by nginx 2"; content:"iframe"; http_server_body; nocase; classtype:bad-unknown; sid:5600066; rev:1;)
As the content which needs to be scanned is in the http_body, which contains the unzipped contents of the packets. I am attaching the out put log from both the pcaps, which will show the content which both sigs are intent to find. This is generated by adding the callback function to htplib as
htp_config_register_response_body_data(cfglist.cfg, HTPCallbackRequestBodyData);
to merely show the content of unzipped contents.
2. Another issue is that we dont have http_server_body keyword to detect the attack such drive by downloads attacks. As the current keyword http_client_bidy look for only on the http requests. Hopefully support for this will be added soon.
Updated by Victor Julien about 13 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 1.2
Related to issue #308.
Updated by Victor Julien about 13 years ago
- Status changed from Assigned to Closed
- Target version changed from 1.2 to 1.2beta1
- % Done changed from 0 to 100
http_server_body and file_data have been implemented. Both inspect the normalized/dechunked/unzipped response body.