Project

General

Profile

Actions

Bug #28

closed

Spaces between content/uricontent: and "match" are not handled properly

Added by Will Metcalf almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The engine does not properly parse sigs where a space exists between the content/uricontent: and the " to signify the pattern to match.

For example in Snort this is valid syntax

content: "foo";

Our engine can't deal with this. The attached pcap has the following http requests.

11/24/09-18:13:54.398293 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:13:51.504617 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:00.413505 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:12.445494 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:36.399206 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:15:24.414425 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80

The results from running with the following rules are below. As you can see we fail to alert on sigs where a space exists between content/uricontent: and the quote to begin the pattern to match against, but do alert where no space exists in the sigs.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin (Original Sig Fails to Fire)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001340; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF changed to content fails also)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; content: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001341; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001342; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; content:"adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001343; rev:9;)

11/24/09-18:13:51.504617 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:13:51.504617 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:13:54.398293 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:13:54.398293 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:00.413505 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:00.413505 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:36.399206 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:36.399206 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:12.445494 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:12.445494 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:15:24.414425 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:15:24.414425 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80


Files

suricata45.pcap (3.24 KB) suricata45.pcap pcap from sandnet for use test sid 2001340 Will Metcalf, 12/29/2009 08:55 PM
Actions #1

Updated by Victor Julien almost 13 years ago

  • Assignee changed from OISF Dev to Victor Julien
Actions #2

Updated by Victor Julien almost 13 years ago

  • Status changed from New to Closed

Fixed by new master.

Actions

Also available in: Atom PDF