[Oisf-users] [Emerging-Sigs] SID: http://docs.emergingthreats.net/2014380/
Duane Howard
duane.security at gmail.com
Mon Dec 12 22:47:29 UTC 2016
Thanks all for clearing this up!
On Mon, Dec 12, 2016 at 12:49 PM, Victor Julien <lists at inliniac.net> wrote:
> On 12-12-16 21:40, Francis Trudeau wrote:
> > alert http any any -> any any (msg:"HTTP TEST"; sid:3030303; rev:1;)
> >
> > Does not hit on:
> >
> > http://dropcanvas.com/iaq1w
> >
> > I had a couple of the guys double check. Tested 2.0.8, 2.0.9, 3.1.3,
> > and 3.2dev (rev 94bc7e5), which I just pulled.
> >
> > Here's the headers from that pcap (defanged):
> >
> > poSt /armstrong/summertime.php HTTP/1.1
> > Content-Length: 0
> > Accept: */*
> > User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
> > Host: apex(.)godsreal(.)com
> > Connection: Keep-Alive
> >
> > If you get different results, something is amiss.
>
> That is an interesting corner case. The server doesn't talk back HTTP,
> but only sends a HTML payload. This causes the detection to fail on both
> sides. I guess we can make the client side of the detection more liberal
> (caseless) to deal with such cases. I will have a look.
>
> Thanks,
> Victor
>
>
> >
> > ft
> >
> >
> >
> >
> > On Mon, Dec 12, 2016 at 1:11 PM, Francis Trudeau
> > <ftrudeau at emergingthreats.net> wrote:
> >> Sure thing, I'll double check and send the pcap we used last week,
> stand by.
> >>
> >> ft
> >>
> >>
> >>
> >> On Mon, Dec 12, 2016 at 12:50 PM, Victor Julien <lists at inliniac.net>
> wrote:
> >>> On 12-12-16 20:48, Duane Howard wrote:
> >>>> forking thread to oisf-users...
> >>>>
> >>>> On Mon, Dec 12, 2016 at 11:42 AM, Francis Trudeau
> >>>> <ftrudeau at emergingthreats.net <mailto:ftrudeau at emergingthreats.net>>
> wrote:
> >>>>
> >>>> We were seeing FP reports on this as just the depth wasn't doing
> >>>> enough to make sure the sig was matching on the HTTP headers.
> >>>>
> >>>> Suricata, because the POST isn't capitalized, doesn't consider
> this
> >>>> HTTP so we couldn't use the HTTP buffers. Snort on the other hand
> >>>> looks at this as HTTP, because of the ports, so we could do this:
> >>>>
> >>>> is this a known bug in libhtp? Or rather is it expected? This seems
> like
> >>>> a bad decision from an IDS perspective?
> >>>
> >>> Waiting for a PCAP but pretty sure the claim is inaccurate.
> >>>
> >>> Cheers,
> >>> Victor
> >>>
> >>>
> >>>>
> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> POLICY
> >>>> HTTP POST invalid method case outbound";
> flow:established,to_server;
> >>>> content:"post"; http_method; nocase; content:!"POST"; http_method;
> >>>> reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
> >>>> <http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html>;
> >>>> classtype:bad-unknown; sid:2014380; rev:3;)
> >>>>
> >>>> The rule that was FPing was rev:2, the Suricata sig skipped from
> >>>> rev:2 to rev:4 due to internal processes that made it skip a rev
> in
> >>>> the final output. The docs page uses the Suricata version as we
> are
> >>>> partial to Suricata ;)
> >>>>
> >>>> Are you seeing FPs with rev:3 of the Snort signature?
> >>>>
> >>>> ft
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Mon, Dec 12, 2016 at 8:59 AM, Jim McKibben
> >>>> <jmckibben at riskanalytics.com <mailto:jmckibben at riskanalytics.com
> >>
> >>>> wrote:
> >>>>
> >>>> The rev 4 of this rule isn't included in
> >>>> the https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/
> emerging.rules.tar.gz
> >>>> <https://rules.emergingthreats.net/open-
> nogpl/snort-2.9.0/emerging.rules.tar.gz>
> >>>> package.
> >>>>
> >>>> Is there a reason for this? It is FPing for sites that contain
> >>>> the text "post" such as nypost.com <http://nypost.com> and
> such.
> >>>> --
> >>>>
> >>>>
> >>>> <https://riskanalytics.com/>
> >>>>
> >>>>
> >>>>
> >>>> *Jim McKibben
> >>>> *Security Analyst GSEC GWAPT
> >>>> Office / 913-685-6588 <tel:913-685-6588>
> >>>> Mobile / 573-424-4848 <tel:573-424-4848>
> >>>> jmckibben at riskanalytics.com <mailto:jmckibben@
> riskanalytics.com>
> >>>>
> >>>> RiskAnalytics <https://riskanalytics.com/> Twitter
> >>>> <https://twitter.com/riskanalytics> LinkedIn
> >>>> <https://www.linkedin.com/company/riskanalytics-llc>
> Facebook
> >>>> <https://www.facebook.com/riskanalytics?fref=ts>
> >>>>
> >>>>
> >>>> CONFIDENTIAL:
> >>>> The information in this email (and any attachments) is
> >>>> confidential. If you are not the intended recipient, you must
> >>>> not read, use or disseminate the information. Please reply to
> >>>> the sender and take the steps necessary to delete the message
> >>>> completely from your computer system. Although this email and
> >>>> any attachments are believed to be free of any virus or other
> >>>> defect that might affect any computer system into which it is
> >>>> received and opened, it is the responsibility of the recipient
> >>>> to ensure that it is virus free and no responsibility is
> >>>> accepted by RiskAnalytics, LLC for any loss or damage arising
> in
> >>>> any way from its use.
> >>>>
> >>>> _______________________________________________
> >>>> Emerging-sigs mailing list
> >>>> Emerging-sigs at lists.emergingthreats.net
> >>>> <mailto:Emerging-sigs at lists.emergingthreats.net>
> >>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-
> sigs
> >>>> <https://lists.emergingthreats.net/mailman/
> listinfo/emerging-sigs>
> >>>>
> >>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> >>>> http://www.emergingthreats.net
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Emerging-sigs mailing list
> >>>> Emerging-sigs at lists.emergingthreats.net
> >>>> <mailto:Emerging-sigs at lists.emergingthreats.net>
> >>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>> <https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >>>>
> >>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> >>>> http://www.emergingthreats.net
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> >>>> List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >>>> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
> >>>>
> >>>
> >>>
> >>> --
> >>> ---------------------------------------------
> >>> Victor Julien
> >>> http://www.inliniac.net/
> >>> PGP: http://www.inliniac.net/victorjulien.asc
> >>> ---------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> >>> List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >>> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161212/c27f4ab2/attachment-0002.html>
More information about the Oisf-users
mailing list