[Oisf-devel] Suricata http request double encoded null byte FN

Anoop Saldanha anoopsaldanha at gmail.com
Sat May 19 08:47:53 UTC 2012


On Sat, May 19, 2012 at 1:05 PM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
> On Sat, May 19, 2012 at 6:07 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi,
>>
>> ok Im continue my Suricata testing, Someone check this please? (if yes/confirm, Im open a new ticket)
>>
>> ok tested with this cmd:
>>  wget "http://192.168.1.1/a%2500b.c"
>>
>>
>> next, use only two Suricata signatures:
>>
>> fire:
>> alert tcp any any -> any 80 (msg:"null byte http encoded 1"; flow:to_server,established; content:"%2500"; classtype:attempted-recon; sid:21; rev:1;)
>>
>> not fire:
>> alert tcp any any -> any 80 (msg:"null byte http encoded 2"; flow:to_server,established; content:"|00|"; http_uri; classtype:attempted-recon; sid:22; rev:1;)
>>
>>
>> Suricata not fire if detect double encoded null byte with http_uri, of course snort always fire.
>>
>> Tested on suricata git at 16 May 2012. same results with v1.2.1.
>>
>> Regards
>> Rmkml
>>
>> http://twitter.com/rmkml
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> looks like a normalization problem.  You can open a bug on this.  Thanks rmkml
>
> --
> Anoop Saldanha

>From the looks of it, any double encoded scenario seems to have the same problem

wget "http://127.0.0.1/a%2557cb.c"

alert tcp any any -> any 80 (msg:"W byte http encoded 2";
flow:to_server,established; content:"/aWcb.c"; http_uri; sid:1;)

-- 
Anoop Saldanha



More information about the Oisf-devel mailing list