Project

General

Profile

Actions

Bug #464

closed

Suricata http request double encoded null byte FN

Added by rmkml rmkml over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
ok Im continue my Suricata testing, tested with this cmd:
wget "http://192.168.1.1/a%2500b.c"
next, use only two Suricata signatures:
fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 1"; flow:to_server,established; content:"%2500"; classtype:attempted-recon; sid:21; rev:1;)
not fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 2"; flow:to_server,established; content:"|00|"; http_uri; classtype:attempted-recon; sid:22; rev:1;)
Suricata not fire if detect double encoded null byte with http_uri, of course snort always fire.
Tested on suricata git at 16 May 2012. same results with v1.2.1.
Regards
Rmkml


Files

httpnullbytedoubleencoded.pcap (1.23 KB) httpnullbytedoubleencoded.pcap rmkml rmkml, 05/19/2012 04:02 PM
Actions #1

Updated by Anoop Saldanha over 12 years ago

To update on what rmkml has posted, any double encoded sequence isn't double decoded by libhtp.

Actions #2

Updated by Victor Julien over 12 years ago

Ideally libhtp would take care of this.

Actions #3

Updated by Victor Julien over 12 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 1.3beta2
Actions #4

Updated by Victor Julien over 12 years ago

  • Target version changed from 1.3beta2 to 1.3rc1
Actions #5

Updated by Victor Julien over 12 years ago

  • Status changed from Assigned to Closed

Fixed by improving the HTPCallbackRequestUriNormalize callback.

Actions #6

Updated by Victor Julien over 12 years ago

  • Status changed from Closed to Assigned
  • Target version changed from 1.3rc1 to 1.3.1

Playing with Apache and this encoding the original behaviour was correct after all. Apache (the server used in the pcap) doesn't seem to decode %00 or it's double encoded variant %2500. In such a case Suricata should not invent it's own decoding. It should stay as close to what the end host does as possible.

Actions #7

Updated by Victor Julien over 12 years ago

To update further, in my testing against Apache 2.2 I see the following:

- www.domain.tld/f%69les/ opens "files"
- www.domain.tld/f%2569les/ gives 404 for "/f%69les/"

So no double decoding, but single decoding is performed.

Another Apache 2.2 server has the same behaviour. Apache behaviour documented here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP_profiles#Apache2-2216-6squeeze7

Actions #8

Updated by Victor Julien over 12 years ago

  • Status changed from Assigned to Closed

Update this to only double decode if instructed in the config:

#   double-decode-path:     Double decode path section of the URI
#   double-decode-query:    Double decode query section of the URI
libhtp:
   default-config:
     personality: IDS
     double-decode-path: no
     double-decode-query: no
Actions

Also available in: Atom PDF