Bug #739: backslash matching problem - http protocol - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #739

closed

backslash matching problem - http protocol

Added by Peter Manev over 11 years ago. Updated about 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

1.4.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,
Using:


root@LTS-64-1:~/Work/Python/Scripts# suricata --build-info
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:560) <Info> (SCPrintBuildInfo) -- This is Suricata version 1.4dev (rev 8f19024)
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:633) <Info> (SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW HAVE_NSS 
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:647) <Info> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:649) <Info> (SCPrintBuildInfo) -- GCC version 4.6.3, C version 199901
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:655) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:658) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:661) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:664) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:671) <Info> (SCPrintBuildInfo) -- compiled with -fstack-protector
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:677) <Info> (SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:680) <Info> (SCPrintBuildInfo) -- compiled with libhtp 0.2.11, linked against 0.2.11

default config, with the following adjustments:

midstream: true
async-oneside: true
checksum-validation: no

One packet pcap provided privately.
Running Suriacta as follows:
suricata -c /etc/suricata/suricata.yaml -S rulefile.rules -r private.pcap --runmode=single

The following rules have been tried on the packet:

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=|5C||22||3C|script|3E|alert(document.cookie)|3C|/script|3E|"; http_uri; uricontent:"/emailfriend/emailnews.php?id=|5C||22||3C|script|3E|alert(document.cookie)|3C|/script|3E|";   reference:url,nikto-scans; sid:8000041; rev:1;)
#the rule above , loads , but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=\"; http_uri; sid:8000041; rev:1;)
#the above rule loads but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=|5C|"; http_uri; sid:8000041; rev:1;)
#the above rule loads but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|5C 22|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
# no match, no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|5C|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#no match, no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id="; http_uri; sid:8000041; rev:1;)
#match, alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|22|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#match, alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"<script>"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#match, alert

alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|22 3C|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#matches, alert

as soon as you try to match

(or |5C| ) - it never matches .... anything else - it matches and there is an alert...

In all the runs however it always sees and logs the http request:

01/25/2013-11:19:15.730143 www.net1.bg [**] /emailfriend/emailnews.php?id=\\\x22<script>alert(document.cookie)</script> [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:000704) [**] 10.0.2.15:58307 -> x.x.x.x:80

Thank you

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #739

backslash matching problem - http protocol

Updated by Victor Julien over 11 years ago

Updated by Victor Julien about 11 years ago

Updated by Victor Julien about 11 years ago

Updated by Victor Julien about 11 years ago