Project

General

Profile

Actions

Bug #739

closed

backslash matching problem - http protocol

Added by Peter Manev almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Using:


root@LTS-64-1:~/Work/Python/Scripts# suricata --build-info
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:560) <Info> (SCPrintBuildInfo) -- This is Suricata version 1.4dev (rev 8f19024)
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:633) <Info> (SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW HAVE_NSS 
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:647) <Info> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:649) <Info> (SCPrintBuildInfo) -- GCC version 4.6.3, C version 199901
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:655) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:658) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:661) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:664) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:671) <Info> (SCPrintBuildInfo) -- compiled with -fstack-protector
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:677) <Info> (SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2
[2650] 29/1/2013 -- 10:02:10 - (suricata.c:680) <Info> (SCPrintBuildInfo) -- compiled with libhtp 0.2.11, linked against 0.2.11

default config, with the following adjustments:

midstream: true
async-oneside: true
checksum-validation: no

One packet pcap provided privately.
Running Suriacta as follows:
suricata -c /etc/suricata/suricata.yaml -S rulefile.rules -r private.pcap --runmode=single

The following rules have been tried on the packet:

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=|5C||22||3C|script|3E|alert(document.cookie)|3C|/script|3E|"; http_uri; uricontent:"/emailfriend/emailnews.php?id=|5C||22||3C|script|3E|alert(document.cookie)|3C|/script|3E|";   reference:url,nikto-scans; sid:8000041; rev:1;)
#the rule above , loads , but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=\"; http_uri; sid:8000041; rev:1;)
#the above rule loads but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id=|5C|"; http_uri; sid:8000041; rev:1;)
#the above rule loads but there is no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|5C 22|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
# no match, no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|5C|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#no match, no alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 "; content:"GET"; http_method; content:"/emailfriend/emailnews.php?id="; http_uri; sid:8000041; rev:1;)
#match, alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|22|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#match, alert

#alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"<script>"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#match, alert

alert http any any -> any any (msg:"HTTP requests tests - sid 8000041 , pcap - 8000041 ";   content:"GET"; http_method; content:"|22 3C|"; http_uri; reference:url,nikto-scans; sid:8000041; rev:1;)
#matches, alert

as soon as you try to match

\

(or |5C| ) - it never matches .... anything else - it matches and there is an alert...

In all the runs however it always sees and logs the http request:

01/25/2013-11:19:15.730143 www.net1.bg [**] /emailfriend/emailnews.php?id=\\\x22<script>alert(document.cookie)</script> [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:000704) [**] 10.0.2.15:58307 -> x.x.x.x:80

Thank you

Actions

Also available in: Atom PDF