Actions
Bug #739
closedbackslash matching problem - http protocol
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi,
Using:
root@LTS-64-1:~/Work/Python/Scripts# suricata --build-info [2650] 29/1/2013 -- 10:02:10 - (suricata.c:560) <Info> (SCPrintBuildInfo) -- This is Suricata version 1.4dev (rev 8f19024) [2650] 29/1/2013 -- 10:02:10 - (suricata.c:633) <Info> (SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW HAVE_NSS [2650] 29/1/2013 -- 10:02:10 - (suricata.c:647) <Info> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture [2650] 29/1/2013 -- 10:02:10 - (suricata.c:649) <Info> (SCPrintBuildInfo) -- GCC version 4.6.3, C version 199901 [2650] 29/1/2013 -- 10:02:10 - (suricata.c:655) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 [2650] 29/1/2013 -- 10:02:10 - (suricata.c:658) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 [2650] 29/1/2013 -- 10:02:10 - (suricata.c:661) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 [2650] 29/1/2013 -- 10:02:10 - (suricata.c:664) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 [2650] 29/1/2013 -- 10:02:10 - (suricata.c:671) <Info> (SCPrintBuildInfo) -- compiled with -fstack-protector [2650] 29/1/2013 -- 10:02:10 - (suricata.c:677) <Info> (SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2 [2650] 29/1/2013 -- 10:02:10 - (suricata.c:680) <Info> (SCPrintBuildInfo) -- compiled with libhtp 0.2.11, linked against 0.2.11
default config, with the following adjustments:
midstream: true async-oneside: true checksum-validation: no
One packet pcap provided privately.
Running Suriacta as follows:
suricata -c /etc/suricata/suricata.yaml -S rulefile.rules -r private.pcap --runmode=single
The following rules have been tried on the packet:
#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=|5C||22||3C|script|3E|alert(document.cookie)|3C|/script|3E|"; http_uri; uricontent:"/emailfriend/emailnews.php?id=|5C||22||3C|script|3E|alert(document.cookie)|3C|/script|3E|"; reference:url,nikto-scans; sid:8000041; rev:1;) #the rule above , loads , but there is no alert #alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=\"; http_uri; sid:8000041; rev:1;) #the above rule loads but there is no alert #alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=|5C|"; http_uri; sid:8000041; rev:1;) #the above rule loads but there is no alert #alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"|5C 22|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;) # no match, no alert #alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"|5C|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;) #no match, no alert #alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id="; http_uri; sid:8000041; rev:1;) #match, alert #alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"|22|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;) #match, alert #alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"<script>"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;) #match, alert alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"|22 3C|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;) #matches, alert
as soon as you try to match
\
(or |5C| ) - it never matches .... anything else - it matches and there is an alert...
In all the runs however it always sees and logs the http request:
01/25/2013-11:19:15.730143 www.net1.bg [**] /emailfriend/emailnews.php?id=\\\x22<script>alert(document.cookie)</script> [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:000704) [**] 10.0.2.15:58307 -> x.x.x.x:80
Thank you
Updated by Victor Julien almost 12 years ago
- Assignee set to OISF Dev
- Target version set to 1.4.1
This appears to be a normalization issue. In HTPCallbackRequestUriNormalizeQuery we get as input:
0000 69 64 3D 5C 22 3C 73 63 72 69 70 74 3E 61 6C 65 id=\"<sc ript>ale 0010 72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F 6B rt(docum ent.cook 0020 69 65 29 3C 2F 73 63 72 69 70 74 3E ie)</scr ipt>
Which is expected, but then when we're done with it, it has become:
0000 69 64 3D 2F 22 3C 73 63 72 69 70 74 3E 61 6C 65 id=/"<sc ript>ale 0010 72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F 6B rt(docum ent.cook 0020 69 65 29 3C 2F 73 63 72 69 70 74 3E ie)</scr ipt>
The backslash flipped forward, so become a forward slash (5c -> 3c).
http.log logs the raw uri. Matching on the raw uri also works. This matches:
alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"|5C 22|"; http_raw_uri; reference:url,nikto-scans; sid:10; rev:1;)
Updated by Victor Julien almost 12 years ago
- Priority changed from Normal to High
Updated by Victor Julien almost 12 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien almost 12 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal
- % Done changed from 0 to 100
Addressed by:
commit cc51eec59dfd1e9294b13fc85f462d7816542f46 Author: Victor Julien <victor@inliniac.net> Date: Wed Feb 20 16:13:40 2013 +0100 Use new libhtp query string normalization. Bug #739. commit d41c762689a08e6814dc93e8bfebeceab97175c3 Author: Victor Julien <victor@inliniac.net> Date: Wed Feb 20 16:13:14 2013 +0100 Add separate libhtp query string normalization function and configuration toggles for it.
Actions