[Oisf-users] [Emerging-Sigs] SID: http://docs.emergingthreats.net/2014380/

Victor Julien lists at inliniac.net
Mon Dec 12 19:50:29 UTC 2016 

On 12-12-16 20:48, Duane Howard wrote:
> forking thread to oisf-users...
> 
> On Mon, Dec 12, 2016 at 11:42 AM, Francis Trudeau
> <ftrudeau at emergingthreats.net <mailto:ftrudeau at emergingthreats.net>> wrote:
> 
>     We were seeing FP reports on this as just the depth wasn't doing
>     enough to make sure the sig was matching on the HTTP headers.  
> 
>     Suricata, because the POST isn't capitalized, doesn't consider this
>     HTTP so we couldn't use the HTTP buffers.  Snort on the other hand
>     looks at this as HTTP, because of the ports, so we could do this:
> 
> is this a known bug in libhtp? Or rather is it expected? This seems like
> a bad decision from an IDS perspective? 

Waiting for a PCAP but pretty sure the claim is inaccurate.

Cheers,
Victor


> 
>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>     HTTP POST invalid method case outbound"; flow:established,to_server;
>     content:"post"; http_method; nocase; content:!"POST"; http_method;
>     reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
>     <http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html>;
>     classtype:bad-unknown; sid:2014380; rev:3;)
> 
>     The rule that was FPing was rev:2, the Suricata sig skipped from
>     rev:2 to rev:4 due to internal processes that made it skip a rev in
>     the final output.  The docs page uses the Suricata version as we are
>     partial to Suricata ;)
> 
>     Are you seeing FPs with rev:3 of the Snort signature?
> 
>     ft
> 
> 
> 
> 
>     On Mon, Dec 12, 2016 at 8:59 AM, Jim McKibben
>     <jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com>>
>     wrote:
> 
>         The rev 4 of this rule isn't included in
>         the https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz
>         <https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz>
>         package.
> 
>         Is there a reason for this? It is FPing for sites that contain
>         the text "post" such as nypost.com <http://nypost.com> and such.
>         -- 
> 
> 
>         <https://riskanalytics.com/>
> 
>         	
> 
>         *Jim McKibben
>         *Security Analyst GSEC GWAPT
>         Office / 913-685-6588 <tel:913-685-6588>
>         Mobile / 573-424-4848 <tel:573-424-4848>
>         jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com>
> 
>         RiskAnalytics <https://riskanalytics.com/>  Twitter
>         <https://twitter.com/riskanalytics>  LinkedIn
>         <https://www.linkedin.com/company/riskanalytics-llc>  Facebook
>         <https://www.facebook.com/riskanalytics?fref=ts>
> 
> 
>         CONFIDENTIAL:
>         The information in this email (and any attachments) is
>         confidential.  If you are not the intended recipient, you must
>         not read, use or disseminate the information.  Please reply to
>         the sender and take the steps necessary to delete the message
>         completely from your computer system.  Although this email and
>         any attachments are believed to be free of any virus or other
>         defect that might affect any computer system into which it is
>         received and opened, it is the responsibility of the recipient
>         to ensure that it is virus free and no responsibility is
>         accepted by RiskAnalytics, LLC for any loss or damage arising in
>         any way from its use.
> 
>         _______________________________________________
>         Emerging-sigs mailing list
>         Emerging-sigs at lists.emergingthreats.net
>         <mailto:Emerging-sigs at lists.emergingthreats.net>
>         https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>         <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
> 
>         Support Emerging Threats! Subscribe to Emerging Threats Pro
>         http://www.emergingthreats.net
> 
> 
> 
> 
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at lists.emergingthreats.net
>     <mailto:Emerging-sigs at lists.emergingthreats.net>
>     https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
> 
>     Support Emerging Threats! Subscribe to Emerging Threats Pro
>     http://www.emergingthreats.net
> 
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list