<div dir="ltr">Thanks all for clearing this up!</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 12, 2016 at 12:49 PM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 12-12-16 21:40, Francis Trudeau wrote:<br>
> alert http any any -> any any (msg:"HTTP TEST"; sid:3030303; rev:1;)<br>
><br>
> Does not hit on:<br>
><br>
> <a href="http://dropcanvas.com/iaq1w" rel="noreferrer" target="_blank">http://dropcanvas.com/iaq1w</a><br>
><br>
> I had a couple of the guys double check. Tested 2.0.8, 2.0.9, 3.1.3,<br>
> and 3.2dev (rev 94bc7e5), which I just pulled.<br>
><br>
> Here's the headers from that pcap (defanged):<br>
><br>
> poSt /armstrong/summertime.php HTTP/1.1<br>
> Content-Length: 0<br>
> Accept: */*<br>
> User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)<br>
> Host: apex(.)godsreal(.)com<br>
> Connection: Keep-Alive<br>
><br>
> If you get different results, something is amiss.<br>
<br>
</span>That is an interesting corner case. The server doesn't talk back HTTP,<br>
but only sends a HTML payload. This causes the detection to fail on both<br>
sides. I guess we can make the client side of the detection more liberal<br>
(caseless) to deal with such cases. I will have a look.<br>
<br>
Thanks,<br>
Victor<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
><br>
> ft<br>
><br>
><br>
><br>
><br>
> On Mon, Dec 12, 2016 at 1:11 PM, Francis Trudeau<br>
> <<a href="mailto:ftrudeau@emergingthreats.net">ftrudeau@emergingthreats.net</a>> wrote:<br>
>> Sure thing, I'll double check and send the pcap we used last week, stand by.<br>
>><br>
>> ft<br>
>><br>
>><br>
>><br>
>> On Mon, Dec 12, 2016 at 12:50 PM, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br>
>>> On 12-12-16 20:48, Duane Howard wrote:<br>
>>>> forking thread to oisf-users...<br>
>>>><br>
>>>> On Mon, Dec 12, 2016 at 11:42 AM, Francis Trudeau<br>
>>>> <<a href="mailto:ftrudeau@emergingthreats.net">ftrudeau@emergingthreats.net</a> <mailto:<a href="mailto:ftrudeau@emergingthreats.net">ftrudeau@<wbr>emergingthreats.net</a>>> wrote:<br>
>>>><br>
>>>> We were seeing FP reports on this as just the depth wasn't doing<br>
>>>> enough to make sure the sig was matching on the HTTP headers.<br>
>>>><br>
>>>> Suricata, because the POST isn't capitalized, doesn't consider this<br>
>>>> HTTP so we couldn't use the HTTP buffers. Snort on the other hand<br>
>>>> looks at this as HTTP, because of the ports, so we could do this:<br>
>>>><br>
>>>> is this a known bug in libhtp? Or rather is it expected? This seems like<br>
>>>> a bad decision from an IDS perspective?<br>
>>><br>
>>> Waiting for a PCAP but pretty sure the claim is inaccurate.<br>
>>><br>
>>> Cheers,<br>
>>> Victor<br>
>>><br>
>>><br>
>>>><br>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY<br>
>>>> HTTP POST invalid method case outbound"; flow:established,to_server;<br>
>>>> content:"post"; http_method; nocase; content:!"POST"; http_method;<br>
>>>> reference:url,<a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html" rel="noreferrer" target="_blank">www.w3.org/<wbr>Protocols/rfc2616/rfc2616-<wbr>sec9.html</a><br>
>>>> <<a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html" rel="noreferrer" target="_blank">http://www.w3.org/Protocols/<wbr>rfc2616/rfc2616-sec9.html</a>>;<br>
>>>> classtype:bad-unknown; sid:2014380; rev:3;)<br>
>>>><br>
>>>> The rule that was FPing was rev:2, the Suricata sig skipped from<br>
>>>> rev:2 to rev:4 due to internal processes that made it skip a rev in<br>
>>>> the final output. The docs page uses the Suricata version as we are<br>
>>>> partial to Suricata ;)<br>
>>>><br>
>>>> Are you seeing FPs with rev:3 of the Snort signature?<br>
>>>><br>
>>>> ft<br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> On Mon, Dec 12, 2016 at 8:59 AM, Jim McKibben<br>
>>>> <<a href="mailto:jmckibben@riskanalytics.com">jmckibben@riskanalytics.com</a> <mailto:<a href="mailto:jmckibben@riskanalytics.com">jmckibben@<wbr>riskanalytics.com</a>>><br>
>>>> wrote:<br>
>>>><br>
>>>> The rev 4 of this rule isn't included in<br>
>>>> the <a href="https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz" rel="noreferrer" target="_blank">https://rules.emergingthreats.<wbr>net/open-nogpl/snort-2.9.0/<wbr>emerging.rules.tar.gz</a><br>
>>>> <<a href="https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz" rel="noreferrer" target="_blank">https://rules.<wbr>emergingthreats.net/open-<wbr>nogpl/snort-2.9.0/emerging.<wbr>rules.tar.gz</a>><br>
>>>> package.<br>
>>>><br>
>>>> Is there a reason for this? It is FPing for sites that contain<br>
>>>> the text "post" such as <a href="http://nypost.com" rel="noreferrer" target="_blank">nypost.com</a> <<a href="http://nypost.com" rel="noreferrer" target="_blank">http://nypost.com</a>> and such.<br>
>>>> --<br>
>>>><br>
>>>><br>
>>>> <<a href="https://riskanalytics.com/" rel="noreferrer" target="_blank">https://riskanalytics.com/</a>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> *Jim McKibben<br>
>>>> *Security Analyst GSEC GWAPT<br>
>>>> Office / <a href="tel:913-685-6588" value="+19136856588">913-685-6588</a> <tel:<a href="tel:913-685-6588" value="+19136856588">913-685-6588</a>><br>
>>>> Mobile / <a href="tel:573-424-4848" value="+15734244848">573-424-4848</a> <tel:<a href="tel:573-424-4848" value="+15734244848">573-424-4848</a>><br>
>>>> <a href="mailto:jmckibben@riskanalytics.com">jmckibben@riskanalytics.com</a> <mailto:<a href="mailto:jmckibben@riskanalytics.com">jmckibben@<wbr>riskanalytics.com</a>><br>
>>>><br>
>>>> RiskAnalytics <<a href="https://riskanalytics.com/" rel="noreferrer" target="_blank">https://riskanalytics.com/</a>> Twitter<br>
>>>> <<a href="https://twitter.com/riskanalytics" rel="noreferrer" target="_blank">https://twitter.com/<wbr>riskanalytics</a>> LinkedIn<br>
>>>> <<a href="https://www.linkedin.com/company/riskanalytics-llc" rel="noreferrer" target="_blank">https://www.linkedin.com/<wbr>company/riskanalytics-llc</a>> Facebook<br>
>>>> <<a href="https://www.facebook.com/riskanalytics?fref=ts" rel="noreferrer" target="_blank">https://www.facebook.com/<wbr>riskanalytics?fref=ts</a>><br>
>>>><br>
>>>><br>
>>>> CONFIDENTIAL:<br>
>>>> The information in this email (and any attachments) is<br>
>>>> confidential. If you are not the intended recipient, you must<br>
>>>> not read, use or disseminate the information. Please reply to<br>
>>>> the sender and take the steps necessary to delete the message<br>
>>>> completely from your computer system. Although this email and<br>
>>>> any attachments are believed to be free of any virus or other<br>
>>>> defect that might affect any computer system into which it is<br>
>>>> received and opened, it is the responsibility of the recipient<br>
>>>> to ensure that it is virus free and no responsibility is<br>
>>>> accepted by RiskAnalytics, LLC for any loss or damage arising in<br>
>>>> any way from its use.<br>
>>>><br>
>>>> ______________________________<wbr>_________________<br>
>>>> Emerging-sigs mailing list<br>
>>>> <a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.<wbr>emergingthreats.net</a><br>
>>>> <mailto:<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.<wbr>emergingthreats.net</a>><br>
>>>> <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
>>>> <<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.<wbr>emergingthreats.net/mailman/<wbr>listinfo/emerging-sigs</a>><br>
>>>><br>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro<br>
>>>> <a href="http://www.emergingthreats.net" rel="noreferrer" target="_blank">http://www.emergingthreats.net</a><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> ______________________________<wbr>_________________<br>
>>>> Emerging-sigs mailing list<br>
>>>> <a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.<wbr>emergingthreats.net</a><br>
>>>> <mailto:<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.<wbr>emergingthreats.net</a>><br>
>>>> <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
>>>> <<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.<wbr>emergingthreats.net/mailman/<wbr>listinfo/emerging-sigs</a>><br>
>>>><br>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro<br>
>>>> <a href="http://www.emergingthreats.net" rel="noreferrer" target="_blank">http://www.emergingthreats.net</a><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> ______________________________<wbr>_________________<br>
>>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
>>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
>>>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
>>>> Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" rel="noreferrer" target="_blank">http://suricon.net</a><br>
>>>><br>
>>><br>
>>><br>
>>> --<br>
>>> ------------------------------<wbr>---------------<br>
>>> Victor Julien<br>
>>> <a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
>>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/<wbr>victorjulien.asc</a><br>
>>> ------------------------------<wbr>---------------<br>
>>><br>
>>> ______________________________<wbr>_________________<br>
>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
>>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
>>> Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" rel="noreferrer" target="_blank">http://suricon.net</a><br>
<br>
<br>
--<br>
------------------------------<wbr>---------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/<wbr>victorjulien.asc</a><br>
------------------------------<wbr>---------------<br>
<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" rel="noreferrer" target="_blank">http://suricon.net</a></div></div></blockquote></div><br></div>