[Oisf-users] [Emerging-Sigs] SID: http://docs.emergingthreats.net/2014380/

Victor Julien lists at inliniac.net
Mon Dec 12 20:01:32 UTC 2016 

On 12-12-16 20:50, Victor Julien wrote:
> On 12-12-16 20:48, Duane Howard wrote:
>> forking thread to oisf-users...
>>
>> On Mon, Dec 12, 2016 at 11:42 AM, Francis Trudeau
>> <ftrudeau at emergingthreats.net <mailto:ftrudeau at emergingthreats.net>> wrote:
>>
>>     We were seeing FP reports on this as just the depth wasn't doing
>>     enough to make sure the sig was matching on the HTTP headers.  
>>
>>     Suricata, because the POST isn't capitalized, doesn't consider this
>>     HTTP so we couldn't use the HTTP buffers.  Snort on the other hand
>>     looks at this as HTTP, because of the ports, so we could do this:
>>
>> is this a known bug in libhtp? Or rather is it expected? This seems like
>> a bad decision from an IDS perspective? 
> 
> Waiting for a PCAP but pretty sure the claim is inaccurate.

{"timestamp":"2016-12-12T21:00:06.638218+0100","flow_id":5259215214027,"event_type":"http","src_ip":"192.168.1.6","src_port":56388,"dest_ip":"96.43.130.5","dest_port":80,"proto":"TCP","tx_id":0,"http":{"url":"/victor","http_user_agent":"victor","http_content_type":"text/html","http_method":"post","protocol":"HTTP/1.0","status":301,"redirect":"http://www.oisf.net","length":227},"host":"c2758-ips"}

Manual test confirms lowercase 'post' is still correctly ends up in the
'http_method' field.

Cheers,
Victor

> 
> Cheers,
> Victor
> 
> 
>>
>>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>>     HTTP POST invalid method case outbound"; flow:established,to_server;
>>     content:"post"; http_method; nocase; content:!"POST"; http_method;
>>     reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
>>     <http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html>;
>>     classtype:bad-unknown; sid:2014380; rev:3;)
>>
>>     The rule that was FPing was rev:2, the Suricata sig skipped from
>>     rev:2 to rev:4 due to internal processes that made it skip a rev in
>>     the final output.  The docs page uses the Suricata version as we are
>>     partial to Suricata ;)
>>
>>     Are you seeing FPs with rev:3 of the Snort signature?
>>
>>     ft
>>
>>
>>
>>
>>     On Mon, Dec 12, 2016 at 8:59 AM, Jim McKibben
>>     <jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com>>
>>     wrote:
>>
>>         The rev 4 of this rule isn't included in
>>         the https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz
>>         <https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz>
>>         package.
>>
>>         Is there a reason for this? It is FPing for sites that contain
>>         the text "post" such as nypost.com <http://nypost.com> and such.
>>         -- 
>>
>>
>>         <https://riskanalytics.com/>
>>
>>         	
>>
>>         *Jim McKibben
>>         *Security Analyst GSEC GWAPT
>>         Office / 913-685-6588 <tel:913-685-6588>
>>         Mobile / 573-424-4848 <tel:573-424-4848>
>>         jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com>
>>
>>         RiskAnalytics <https://riskanalytics.com/>  Twitter
>>         <https://twitter.com/riskanalytics>  LinkedIn
>>         <https://www.linkedin.com/company/riskanalytics-llc>  Facebook
>>         <https://www.facebook.com/riskanalytics?fref=ts>
>>
>>
>>         CONFIDENTIAL:
>>         The information in this email (and any attachments) is
>>         confidential.  If you are not the intended recipient, you must
>>         not read, use or disseminate the information.  Please reply to
>>         the sender and take the steps necessary to delete the message
>>         completely from your computer system.  Although this email and
>>         any attachments are believed to be free of any virus or other
>>         defect that might affect any computer system into which it is
>>         received and opened, it is the responsibility of the recipient
>>         to ensure that it is virus free and no responsibility is
>>         accepted by RiskAnalytics, LLC for any loss or damage arising in
>>         any way from its use.
>>
>>         _______________________________________________
>>         Emerging-sigs mailing list
>>         Emerging-sigs at lists.emergingthreats.net
>>         <mailto:Emerging-sigs at lists.emergingthreats.net>
>>         https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>         <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>>
>>         Support Emerging Threats! Subscribe to Emerging Threats Pro
>>         http://www.emergingthreats.net
>>
>>
>>
>>
>>     _______________________________________________
>>     Emerging-sigs mailing list
>>     Emerging-sigs at lists.emergingthreats.net
>>     <mailto:Emerging-sigs at lists.emergingthreats.net>
>>     https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>>
>>     Support Emerging Threats! Subscribe to Emerging Threats Pro
>>     http://www.emergingthreats.net
>>
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list