[Oisf-devel] Suricata http request double encoded null byte FN

rmkml rmkml at yahoo.fr
Sat May 19 23:04:49 UTC 2012


ok opened a new redmine ticket #464
Please add your http double encoded testing...
Best Regards
Rmkml


On Sat, 19 May 2012, Anoop Saldanha wrote:

> On Sat, May 19, 2012 at 1:05 PM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
>> On Sat, May 19, 2012 at 6:07 AM, rmkml <rmkml at yahoo.fr> wrote:
>>> Hi,
>>>
>>> ok Im continue my Suricata testing, Someone check this please? (if yes/confirm, Im open a new ticket)
>>>
>>> ok tested with this cmd:
>>>  wget "http://192.168.1.1/a%2500b.c"
>>>
>>>
>>> next, use only two Suricata signatures:
>>>
>>> fire:
>>> alert tcp any any -> any 80 (msg:"null byte http encoded 1"; flow:to_server,established; content:"%2500"; classtype:attempted-recon; sid:21; rev:1;)
>>>
>>> not fire:
>>> alert tcp any any -> any 80 (msg:"null byte http encoded 2"; flow:to_server,established; content:"|00|"; http_uri; classtype:attempted-recon; sid:22; rev:1;)
>>>
>>>
>>> Suricata not fire if detect double encoded null byte with http_uri, of course snort always fire.
>>>
>>> Tested on suricata git at 16 May 2012. same results with v1.2.1.
>>>
>>> Regards
>>> Rmkml
>>>
>>> http://twitter.com/rmkml
>>>
>>
>> looks like a normalization problem.  You can open a bug on this.  Thanks rmkml
>>
>> --
>> Anoop Saldanha
>
> From the looks of it, any double encoded scenario seems to have the same problem
>
> wget "http://127.0.0.1/a%2557cb.c"
>
> alert tcp any any -> any 80 (msg:"W byte http encoded 2";
> flow:to_server,established; content:"/aWcb.c"; http_uri; sid:1;)
>
> -- 
> Anoop Saldanha
>


More information about the Oisf-devel mailing list