<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hello all,<br><br>I have a rule from the ET rule-set to alert against an attack that is used to exploit a vulnerability in nginx 1.3.9-1.4.0. In order to trigger this rule I loaded an exploit module in Metasploit and fired it on my server.<br><br>The vulnerability: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028</a><br>The rule: <a href="http://doc.emergingthreats.net/bin/view/Main/2016918" target="_blank">http://doc.emergingthreats.net/bin/view/Main/2016918</a><br>The Metasploit module: <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb" target="_blank">https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb</a><br><br>I'll repeat the rule here:<br><h2><font style="font-size: 8pt;" size="1">alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific";
flow:established,to_server; content:"chunked"; http_header; nocase;
fast_pattern:only; pcre:"/Transfer-Encoding\x3a[^\r\n]*?chunked/Hi";
pcre:"/^[\r\n\s]*?[^\r\n]+HTTP\/1\.\d[^\r\n]*?\r?\n((?!(\r?\n\r?\n)).)*?Transfer-Encoding\x3a[^\r\n]*?Chunked((?!(\r?\n\r?\n)).)*?\r?\n\r?\n[\r\n\s]*?(f{6}[8-9a-f][0-9a-f]|[a-f0-9]{9})/si";
reference:url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/;
reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb;
classtype:attempted-admin; sid:2016918; rev:6;)
</font></h2>My attack did not generate any alerts. However, as soon as I removed the "http_header;" and changed "/Hi" to "/i" (in the first pcre) the rule started generating alerts. From this it seems like the HTTP header is not complete/not recognized by Suricata. However, when I do an extended logging on the HTTP traffic, I do see entries like:<br><br>07/13/14-23:45:27.830342 - - Chunked HTTP/1.1 GET mifpudtilvpjqsjl / - 0 x.x.x.x:40590 -> y.y.y.y:80<br><br>My "customformat" for the http-log contains "%{Transfer-Encoding}i", which would actually be the "contents of the defined HTTP Request Header name" according to the documentation (refer to <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging)." target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging).</a><br><br>I also created packet dumps of both legitimate web traffic and this attack and analyzed the streams in Wireshark. In both dumps there are TCP PDU's which are re-assembled, but in the valid web traffic Wireshark labels the protocol for some of the fully assembled client-to-server packets as HTTP while for the attack there are only TCP packets from the client to the server.<br><br>I am wondering why the HTTP header is not available. I am not sure if this is caused by Suricata, my OS/network interface or the rule itself. I hope someone can help me out!<br><br>Thanks for your time,<br>Jelte.<br> </div></body>
</html>