<div dir="ltr">forking thread to oisf-users...<div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 12, 2016 at 11:42 AM, Francis Trudeau <span dir="ltr"><<a href="mailto:ftrudeau@emergingthreats.net" target="_blank">ftrudeau@emergingthreats.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">We were seeing FP reports on this as just the depth wasn't doing enough to make sure the sig was matching on the HTTP headers.  <div><br></div><div>Suricata, because the POST isn't capitalized, doesn't consider this HTTP so we couldn't use the HTTP buffers.  Snort on the other hand looks at this as HTTP, because of the ports, so we could do this:</div></div></blockquote><div>is this a known bug in libhtp? Or rather is it expected? This seems like a bad decision from an IDS perspective? </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; content:"post"; http_method; nocase; content:!"POST"; http_method; reference:url,<a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html" target="_blank">www.w3.org/Proto<wbr>cols/rfc2616/rfc2616-sec9.html</a><wbr>; classtype:bad-unknown; sid:2014380; rev:3;)</div></div><div><br></div><div>The rule that was FPing was rev:2, the Suricata sig skipped from rev:2 to rev:4 due to internal processes that made it skip a rev in the final output.  The docs page uses the Suricata version as we are partial to Suricata ;)</div><div><br></div><div>Are you seeing FPs with rev:3 of the Snort signature?</div><div><br></div><div>ft</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Mon, Dec 12, 2016 at 8:59 AM, Jim McKibben <span dir="ltr"><<a href="mailto:jmckibben@riskanalytics.com" target="_blank">jmckibben@riskanalytics.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">The rev 4 of this rule isn't included in the <a href="https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz" target="_blank">https://rules.emergingthre<wbr>ats.net/open-nogpl/snort-2.9.<wbr>0/emerging.rules.tar.gz</a> package.<div><br></div><div>Is there a reason for this? It is FPing for sites that contain the text "post" such as <a href="http://nypost.com" target="_blank">nypost.com</a> and such.<br>-- <br><div class="m_6501721522707831526m_-5155747266141148494gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><table border="0" cellpadding="0" cellspacing="0" style="font-size:12.8px;border-collapse:collapse;border:medium none"><tbody><tr><td valign="top" width="113" style="width:113.4pt;border-style:none solid none none;border-right-width:1pt;border-right-color:rgb(247,150,70);padding:0in 5.4pt"><p align="center" style="text-align:center"><br><a href="https://riskanalytics.com/" style="color:rgb(17,85,204);font-size:12.8px" target="_blank"><img></a><br></p></td><td valign="top" width="329" style="width:329.4pt;border:medium none;padding:0in 5.4pt"><p><b><span style="font-family:arial;color:rgb(255,120,0)">Jim McKibben<br></span></b><span style="font-size:8pt;font-family:arial;color:rgb(127,127,127)">Security Analyst GSEC GWAPT<br></span><span style="font-size:8pt;font-family:arial;color:rgb(255,120,0)">Office /</span><span style="font-size:8pt;font-family:arial"> <span style="color:rgb(127,127,127)"><a href="tel:913-685-6588" value="+19136856571" style="color:rgb(17,85,204)" target="_blank">913-685-6588</a><br></span></span><span style="font-family:arial;font-size:8pt;color:rgb(255,120,0)">Mobile /</span><span style="font-family:arial;font-size:8pt"> </span><span style="font-family:arial;font-size:8pt"><font color="#7f7f7f"><a href="tel:573-424-4848" value="+19132195292" style="color:rgb(17,85,204)" target="_blank">573-424-4848</a><br></font></span><a href="mailto:jmckibben@riskanalytics.com" style="color:rgb(17,85,204);font-family:arial;font-size:8pt" target="_blank">jmckibben@riskanalytics.com</a></p><p><a href="https://riskanalytics.com/" style="color:rgb(17,85,204);font-family:arial;font-size:10.6667px" target="_blank"><img alt="RiskAnalytics"></a><span style="color:rgb(247,150,70);font-family:arial;font-size:10.6667px">  </span><a href="https://twitter.com/riskanalytics" style="color:rgb(17,85,204);font-family:arial;font-size:10.6667px" target="_blank"><img alt="Twitter"></a><span style="color:rgb(247,150,70);font-family:arial;font-size:10.6667px">  </span><a href="https://www.linkedin.com/company/riskanalytics-llc" style="color:rgb(17,85,204);font-family:arial;font-size:10.6667px" target="_blank"><img alt="LinkedIn"></a><span style="color:rgb(247,150,70);font-family:arial;font-size:10.6667px">  </span><a href="https://www.facebook.com/riskanalytics?fref=ts" style="color:rgb(17,85,204);font-family:arial;font-size:10.6667px" target="_blank"><img alt="Facebook"></a><br></p></td></tr></tbody></table></div><div><div style="font-size:12.8px"><br></div><div dir="ltr" style="font-size:12.8px"><font color="#cccccc" size="1">CONFIDENTIAL:<br>The information in this email (and any attachments) is confidential.  If you are not the intended recipient, you must not read, use or disseminate the information.  Please reply to the sender and take the steps necessary to delete the message completely from your computer system.  Although this email and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by RiskAnalytics, LLC for any loss or damage arising in any way from its use.</font></div></div></div></div></div></div></div></div></div></div>
</div></div>
<br></div></div>______________________________<wbr>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingth<wbr>reats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" rel="noreferrer" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.<wbr>emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" rel="noreferrer" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div><br></div></div>