[Oisf-users] [Emerging-Sigs] SID: http://docs.emergingthreats.net/2014380/
Francis Trudeau
ftrudeau at emergingthreats.net
Mon Dec 12 20:40:51 UTC 2016
alert http any any -> any any (msg:"HTTP TEST"; sid:3030303; rev:1;)
Does not hit on:
http://dropcanvas.com/iaq1w
I had a couple of the guys double check. Tested 2.0.8, 2.0.9, 3.1.3,
and 3.2dev (rev 94bc7e5), which I just pulled.
Here's the headers from that pcap (defanged):
poSt /armstrong/summertime.php HTTP/1.1
Content-Length: 0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: apex(.)godsreal(.)com
Connection: Keep-Alive
If you get different results, something is amiss.
ft
On Mon, Dec 12, 2016 at 1:11 PM, Francis Trudeau
<ftrudeau at emergingthreats.net> wrote:
> Sure thing, I'll double check and send the pcap we used last week, stand by.
>
> ft
>
>
>
> On Mon, Dec 12, 2016 at 12:50 PM, Victor Julien <lists at inliniac.net> wrote:
>> On 12-12-16 20:48, Duane Howard wrote:
>>> forking thread to oisf-users...
>>>
>>> On Mon, Dec 12, 2016 at 11:42 AM, Francis Trudeau
>>> <ftrudeau at emergingthreats.net <mailto:ftrudeau at emergingthreats.net>> wrote:
>>>
>>> We were seeing FP reports on this as just the depth wasn't doing
>>> enough to make sure the sig was matching on the HTTP headers.
>>>
>>> Suricata, because the POST isn't capitalized, doesn't consider this
>>> HTTP so we couldn't use the HTTP buffers. Snort on the other hand
>>> looks at this as HTTP, because of the ports, so we could do this:
>>>
>>> is this a known bug in libhtp? Or rather is it expected? This seems like
>>> a bad decision from an IDS perspective?
>>
>> Waiting for a PCAP but pretty sure the claim is inaccurate.
>>
>> Cheers,
>> Victor
>>
>>
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>>> HTTP POST invalid method case outbound"; flow:established,to_server;
>>> content:"post"; http_method; nocase; content:!"POST"; http_method;
>>> reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
>>> <http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html>;
>>> classtype:bad-unknown; sid:2014380; rev:3;)
>>>
>>> The rule that was FPing was rev:2, the Suricata sig skipped from
>>> rev:2 to rev:4 due to internal processes that made it skip a rev in
>>> the final output. The docs page uses the Suricata version as we are
>>> partial to Suricata ;)
>>>
>>> Are you seeing FPs with rev:3 of the Snort signature?
>>>
>>> ft
>>>
>>>
>>>
>>>
>>> On Mon, Dec 12, 2016 at 8:59 AM, Jim McKibben
>>> <jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com>>
>>> wrote:
>>>
>>> The rev 4 of this rule isn't included in
>>> the https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz
>>> <https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz>
>>> package.
>>>
>>> Is there a reason for this? It is FPing for sites that contain
>>> the text "post" such as nypost.com <http://nypost.com> and such.
>>> --
>>>
>>>
>>> <https://riskanalytics.com/>
>>>
>>>
>>>
>>> *Jim McKibben
>>> *Security Analyst GSEC GWAPT
>>> Office / 913-685-6588 <tel:913-685-6588>
>>> Mobile / 573-424-4848 <tel:573-424-4848>
>>> jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com>
>>>
>>> RiskAnalytics <https://riskanalytics.com/> Twitter
>>> <https://twitter.com/riskanalytics> LinkedIn
>>> <https://www.linkedin.com/company/riskanalytics-llc> Facebook
>>> <https://www.facebook.com/riskanalytics?fref=ts>
>>>
>>>
>>> CONFIDENTIAL:
>>> The information in this email (and any attachments) is
>>> confidential. If you are not the intended recipient, you must
>>> not read, use or disseminate the information. Please reply to
>>> the sender and take the steps necessary to delete the message
>>> completely from your computer system. Although this email and
>>> any attachments are believed to be free of any virus or other
>>> defect that might affect any computer system into which it is
>>> received and opened, it is the responsibility of the recipient
>>> to ensure that it is virus free and no responsibility is
>>> accepted by RiskAnalytics, LLC for any loss or damage arising in
>>> any way from its use.
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> <mailto:Emerging-sigs at lists.emergingthreats.net>
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> <mailto:Emerging-sigs at lists.emergingthreats.net>
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
More information about the Oisf-users
mailing list