Project

General

Profile

Actions

Bug #229

closed

Gzip & Chunk encoding issue

Added by Gurvinder Singh about 12 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The follow sig goes along with scanner-clean.pcap:
alert tcp any any > any any (msg:"EID FAKEAV scanner page encountered
- Initializing Virus Protection System..."; content:"Virus Protection
System"; classtype:bad-unknown; sid:5600106; rev:2;)

This sig goes with the iframe.pcap:
alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served
by nginx 2"; content:"iframe"; nocase; classtype:bad-unknown;
sid:5600066; rev:1;)

failed to fire on the attached pcaps.


Files

iframe.pcap (1.6 KB) iframe.pcap Gurvinder Singh, 08/25/2010 02:22 PM
scanner-clean.pcap (287 KB) scanner-clean.pcap Gurvinder Singh, 08/25/2010 02:22 PM
out.log (12.6 KB) out.log Gurvinder Singh, 08/28/2010 10:44 PM
Actions #1

Updated by Gurvinder Singh about 12 years ago

1. The sig provided are scanning the content keyword, where as the content which they intent to scan is in gzip format. So to detect correctly the attack, there should be app layer keyword with it. The correct sig for iframe will be

alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served by nginx 2"; content:"iframe"; http_server_body; nocase; classtype:bad-unknown; sid:5600066; rev:1;)

As the content which needs to be scanned is in the http_body, which contains the unzipped contents of the packets. I am attaching the out put log from both the pcaps, which will show the content which both sigs are intent to find. This is generated by adding the callback function to htplib as

htp_config_register_response_body_data(cfglist.cfg, HTPCallbackRequestBodyData);

to merely show the content of unzipped contents.

2. Another issue is that we dont have http_server_body keyword to detect the attack such drive by downloads attacks. As the current keyword http_client_bidy look for only on the http requests. Hopefully support for this will be added soon.

Actions #2

Updated by Victor Julien almost 11 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 1.2

Related to issue #308.

Actions #3

Updated by Victor Julien almost 11 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 1.2 to 1.2beta1
  • % Done changed from 0 to 100

http_server_body and file_data have been implemented. Both inspect the normalized/dechunked/unzipped response body.

Actions

Also available in: Atom PDF