Project

General

Profile

Actions

Bug #739

closed

backslash matching problem - http protocol

Added by Peter Manev almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Using:


root@LTS-64-1:~/Work/Python/Scripts# suricata --build-info
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:560) <Info> (SCPrintBuildInfo) -- This is Suricata version 1.4dev (rev 8f19024)
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:633) <Info> (SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW HAVE_NSS 
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:647) <Info> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:649) <Info> (SCPrintBuildInfo) -- GCC version 4.6.3, C version 199901
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:655) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:658) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:661) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:664) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:671) <Info> (SCPrintBuildInfo) -- compiled with -fstack-protector
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:677) <Info> (SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:680) <Info> (SCPrintBuildInfo) -- compiled with libhtp 0.2.11, linked against 0.2.11

default config, with the following adjustments:

midstream: true
async-oneside: true
checksum-validation: no

One packet pcap provided privately.
Running Suriacta as follows:
suricata -c /etc/suricata/suricata.yaml -S rulefile.rules -r private.pcap --runmode=single

The following rules have been tried on the packet:

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=|5C||22||3C|script|3E|alert(document.cookie)|3C|/script|3E|"; http_uri; uricontent:"/emailfriend/emailnews.php?id=|5C||22||3C|script|3E|alert(document.cookie)|3C|/script|3E|";   reference:url,nikto-scans; sid:8000041; rev:1;)
#the rule above , loads , but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=\"; http_uri; sid:8000041; rev:1;)
#the above rule loads but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=|5C|"; http_uri; sid:8000041; rev:1;)
#the above rule loads but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|5C 22|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
# no match, no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|5C|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#no match, no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id="; http_uri; sid:8000041; rev:1;)
#match, alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|22|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#match, alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"<script>"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#match, alert

alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|22 3C|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#matches, alert

as soon as you try to match

\

(or |5C| ) - it never matches .... anything else - it matches and there is an alert...

In all the runs however it always sees and logs the http request:

01/25/2013-11:19:15.730143 www.net1.bg [**] /emailfriend/emailnews.php?id=\\\x22<script>alert(document.cookie)</script> [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:000704) [**] 10.0.2.15:58307 -> x.x.x.x:80

Thank you

Actions #1

Updated by Victor Julien almost 12 years ago

  • Assignee set to OISF Dev
  • Target version set to 1.4.1

This appears to be a normalization issue. In HTPCallbackRequestUriNormalizeQuery we get as input:

 0000  69 64 3D 5C 22 3C 73 63  72 69 70 74 3E 61 6C 65   id=\"<sc ript>ale
 0010  72 74 28 64 6F 63 75 6D  65 6E 74 2E 63 6F 6F 6B   rt(docum ent.cook
 0020  69 65 29 3C 2F 73 63 72  69 70 74 3E               ie)</scr ipt>

Which is expected, but then when we're done with it, it has become:
 0000  69 64 3D 2F 22 3C 73 63  72 69 70 74 3E 61 6C 65   id=/"<sc ript>ale
 0010  72 74 28 64 6F 63 75 6D  65 6E 74 2E 63 6F 6F 6B   rt(docum ent.cook
 0020  69 65 29 3C 2F 73 63 72  69 70 74 3E               ie)</scr ipt>

The backslash flipped forward, so become a forward slash (5c -> 3c).

http.log logs the raw uri. Matching on the raw uri also works. This matches:

alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|5C 22|"; http_raw_uri; reference:url,nikto-scans; sid:10; rev:1;)

Actions #2

Updated by Victor Julien almost 12 years ago

  • Priority changed from Normal to High
Actions #3

Updated by Victor Julien almost 12 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
Actions #4

Updated by Victor Julien almost 12 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
  • % Done changed from 0 to 100

Addressed by:

commit cc51eec59dfd1e9294b13fc85f462d7816542f46
Author: Victor Julien <victor@inliniac.net>
Date:   Wed Feb 20 16:13:40 2013 +0100

    Use new libhtp query string normalization. Bug #739.

commit d41c762689a08e6814dc93e8bfebeceab97175c3
Author: Victor Julien <victor@inliniac.net>
Date:   Wed Feb 20 16:13:14 2013 +0100

    Add separate libhtp query string normalization function and configuration toggles for it.

Actions

Also available in: Atom PDF