[Oisf-users] [Emerging-Sigs] SID: http://docs.emergingthreats.net/2014380/

Victor Julien lists at inliniac.net
Mon Dec 12 20:49:20 UTC 2016 

On 12-12-16 21:40, Francis Trudeau wrote:
> alert http any any -> any any (msg:"HTTP TEST"; sid:3030303; rev:1;)
> 
> Does not hit on:
> 
> http://dropcanvas.com/iaq1w
> 
> I had a couple of the guys double check.  Tested 2.0.8, 2.0.9, 3.1.3,
> and 3.2dev (rev 94bc7e5), which I just pulled.
> 
> Here's the headers from that pcap (defanged):
> 
> poSt /armstrong/summertime.php HTTP/1.1
> Content-Length: 0
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
> Host: apex(.)godsreal(.)com
> Connection: Keep-Alive
> 
> If you get different results, something is amiss.

That is an interesting corner case. The server doesn't talk back HTTP,
but only sends a HTML payload. This causes the detection to fail on both
sides. I guess we can make the client side of the detection more liberal
(caseless) to deal with such cases. I will have a look.

Thanks,
Victor


> 
> ft
> 
> 
> 
> 
> On Mon, Dec 12, 2016 at 1:11 PM, Francis Trudeau
> <ftrudeau at emergingthreats.net> wrote:
>> Sure thing, I'll double check and send the pcap we used last week, stand by.
>>
>> ft
>>
>>
>>
>> On Mon, Dec 12, 2016 at 12:50 PM, Victor Julien <lists at inliniac.net> wrote:
>>> On 12-12-16 20:48, Duane Howard wrote:
>>>> forking thread to oisf-users...
>>>>
>>>> On Mon, Dec 12, 2016 at 11:42 AM, Francis Trudeau
>>>> <ftrudeau at emergingthreats.net <mailto:ftrudeau at emergingthreats.net>> wrote:
>>>>
>>>>     We were seeing FP reports on this as just the depth wasn't doing
>>>>     enough to make sure the sig was matching on the HTTP headers.
>>>>
>>>>     Suricata, because the POST isn't capitalized, doesn't consider this
>>>>     HTTP so we couldn't use the HTTP buffers.  Snort on the other hand
>>>>     looks at this as HTTP, because of the ports, so we could do this:
>>>>
>>>> is this a known bug in libhtp? Or rather is it expected? This seems like
>>>> a bad decision from an IDS perspective?
>>>
>>> Waiting for a PCAP but pretty sure the claim is inaccurate.
>>>
>>> Cheers,
>>> Victor
>>>
>>>
>>>>
>>>>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>>>>     HTTP POST invalid method case outbound"; flow:established,to_server;
>>>>     content:"post"; http_method; nocase; content:!"POST"; http_method;
>>>>     reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
>>>>     <http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html>;
>>>>     classtype:bad-unknown; sid:2014380; rev:3;)
>>>>
>>>>     The rule that was FPing was rev:2, the Suricata sig skipped from
>>>>     rev:2 to rev:4 due to internal processes that made it skip a rev in
>>>>     the final output.  The docs page uses the Suricata version as we are
>>>>     partial to Suricata ;)
>>>>
>>>>     Are you seeing FPs with rev:3 of the Snort signature?
>>>>
>>>>     ft
>>>>
>>>>
>>>>
>>>>
>>>>     On Mon, Dec 12, 2016 at 8:59 AM, Jim McKibben
>>>>     <jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com>>
>>>>     wrote:
>>>>
>>>>         The rev 4 of this rule isn't included in
>>>>         the https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz
>>>>         <https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz>
>>>>         package.
>>>>
>>>>         Is there a reason for this? It is FPing for sites that contain
>>>>         the text "post" such as nypost.com <http://nypost.com> and such.
>>>>         --
>>>>
>>>>
>>>>         <https://riskanalytics.com/>
>>>>
>>>>
>>>>
>>>>         *Jim McKibben
>>>>         *Security Analyst GSEC GWAPT
>>>>         Office / 913-685-6588 <tel:913-685-6588>
>>>>         Mobile / 573-424-4848 <tel:573-424-4848>
>>>>         jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com>
>>>>
>>>>         RiskAnalytics <https://riskanalytics.com/>  Twitter
>>>>         <https://twitter.com/riskanalytics>  LinkedIn
>>>>         <https://www.linkedin.com/company/riskanalytics-llc>  Facebook
>>>>         <https://www.facebook.com/riskanalytics?fref=ts>
>>>>
>>>>
>>>>         CONFIDENTIAL:
>>>>         The information in this email (and any attachments) is
>>>>         confidential.  If you are not the intended recipient, you must
>>>>         not read, use or disseminate the information.  Please reply to
>>>>         the sender and take the steps necessary to delete the message
>>>>         completely from your computer system.  Although this email and
>>>>         any attachments are believed to be free of any virus or other
>>>>         defect that might affect any computer system into which it is
>>>>         received and opened, it is the responsibility of the recipient
>>>>         to ensure that it is virus free and no responsibility is
>>>>         accepted by RiskAnalytics, LLC for any loss or damage arising in
>>>>         any way from its use.
>>>>
>>>>         _______________________________________________
>>>>         Emerging-sigs mailing list
>>>>         Emerging-sigs at lists.emergingthreats.net
>>>>         <mailto:Emerging-sigs at lists.emergingthreats.net>
>>>>         https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>         <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>>>>
>>>>         Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>         http://www.emergingthreats.net
>>>>
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Emerging-sigs mailing list
>>>>     Emerging-sigs at lists.emergingthreats.net
>>>>     <mailto:Emerging-sigs at lists.emergingthreats.net>
>>>>     https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>     <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>>>>
>>>>     Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>     http://www.emergingthreats.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>>
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list