Project

General

Profile

Actions

Bug #508

closed

Suricata FN on http_header or http_user_agent

Added by rmkml rmkml over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

ok start a wget http request :
wget --user-agent="Mozilla\";" http://x.y.com
(results are User-Agent: Mozilla"; )
Joigned a pcap file.

1) ok create a very simple sig, Suricata fire:
... flow:to_server,established; content:"\"\;"; ...

2) another sig but Suricata not fire, why?
... flow:to_server,established; content:"\"\;"; http_header; ...

3) another sig but Suricata not fire, why?
... flow:to_server,established; content:"\"\;"; http_user_agent; ...

Same pb when replace " to |22|
or ; to |3b|.

Of course Snort fire every times.
Regards
Rmkml


Files

Actions #1

Updated by Anoop Saldanha over 12 years ago

  • Assignee set to Anoop Saldanha
Actions #2

Updated by Peter Manev over 12 years ago

This is a very good catch rmkml....

Actions #3

Updated by Anoop Saldanha over 12 years ago

Have attached the patch.

The issue is not FN on http_user_agent or http_header, but reassembly not happening since we didn't accept a particular combination of tcp flags, which in your case was (ack | push | cwr).

My solution patches it for your pcap, but there should be many more such flag combinations which should make evasion easy.

Btw, this issue isn't new for us. I had mailed on this last year, but we somehow forgot to fix it. Thanks rmkml.

Actions #5

Updated by Victor Julien over 12 years ago

  • Status changed from New to Closed
  • Target version set to 1.3.1
  • % Done changed from 0 to 100

Applied, thanks Anoop.

Actions

Also available in: Atom PDF