Bug #474: suricata and libhtp FN problem - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #474

closed

suricata and libhtp FN problem

Added by Pedro Marinho almost 12 years ago. Updated almost 12 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hello Gentlemen,

I am having a problem with suricata not recognizing legit http because htplib does take in account a blank space between the colon of the http header field name and the http header field value.

0000 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
0010 48 4f 53 54 3a 77 77 77 2e 67 6f 6f 67 6c 65 2e HOST:www.google.
0020 63 6f 6d 0d 0a 0d 0a 00 00 00 00 00 00 00 00 00 com.............
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0590 00 00 00 00 00 00 ......

#at libhtp at htp_request_generic.c

// Value

value_start = colon_pos;

// Go over the colon
    if (value_start < len) {
        value_start++;
    }

// Ignore LWS before field-content
    while ((value_start < len) && (htp_is_lws(data[value_start]))) {
        value_start++;
    }

// Look for the end of field-content
    value_end = value_start;

while (value_end < len) value_end++;

// Ignore LWS after field-content
    prev = value_end - 1;
    while ((prev > value_start) && (htp_is_lws(data[prev]))) { ////////// here not true
        prev--;
        value_end--;
    }

#sig not working

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Backdoor.Win32/Dervec.gen Connectivity Check"; flow:established,to_server; content:"HOST|3a|www.google"; http_header; classtype:trojan-activity; reference:md5,5eaae2d6a4b5d338b83ea5d97af93672; sid:6446; rev:1;)

seems that webservers doesn't care about the missing blank space

GET / HTTP/1.1
host:foo

HTTP/1.1 200 OK
Date: Tue, 29 May 2012 18:55:26 GMT
Server: Apache/2.2.15 (Scientific Linux)
X-Powered-By: PHP/5.3.3
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

32
I'm php script...I'm ugly when I'm angryArray
(
)

###########################suricata version
[root@krynn suricata-1.2.1]# suricata -V
This is Suricata version 1.2.1 RELEASE

htplib version is htp-0.2.8

Actions

Copy link

Updated by Pedro Marinho almost 12 years ago

actually the problem is here

// Ignore LWS before field-content
while ((value_start < len) && (htp_is_lws(data[value_start]))) {
value_start++;
}

sorry tired eyes

Actions

Copy link

Updated by Pedro Marinho almost 12 years ago

Gentlemen,

With http_raw_header did work. Sorry about the noise i thought something was wrong with the libhtp parser.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Backdoor.Win32/Dervec.gen Connectivity Check"; flow:established,to_server; content:"HOST|3a|www.google"; http_raw_header; classtype:trojan-activity; reference:md5,5eaae2d6a4b5d338b83ea5d97af93672; sid:6446; rev:1;)

[root@krynn suricata-1.2.1]# suricata -c suricata.yaml -r /home/pedro/sandnetResearch/5eaae2d6a4b5d338b83ea5d97af93672.pcap

[root@krynn suricata-1.2.1]# tail -f /var/log/suricata/fast.log
05/26/2012-15:52:38.930146 [**] [1:6446:1] ETPRO TROJAN Backdoor.Win32/Dervec.gen Connectivity Check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.5:1032 -> 74.125.225.80:80

Actions

Copy link

Updated by Victor Julien almost 12 years ago

Status changed from New to Closed

Suricata's http_header normalises a header line to have a single space between the name and value.

name:value becomes name: value

Like Pedro said, http_raw_header allows for matching on the original header.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #474

suricata and libhtp FN problem

Updated by Pedro Marinho almost 12 years ago

Updated by Pedro Marinho almost 12 years ago

Updated by Victor Julien almost 12 years ago