Re: [Snort-users] snort http_inspect
This is a discussion on Re: [Snort-users] snort http_inspect within the Snort forums, part of the System Security and Security Related category; Hey Matteo, I've run the exact same thing in my lab, and snort picks up the chunked encoding, as ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-11-2004
|
|||
|
|||
Re: [Snort-users] snort http_inspect
Hey Matteo,
I've run the exact same thing in my lab, and snort picks up the chunked encoding, as well as the http_inspect alert you mentioned. I tested this using Nessus 2.0.10a and its Apache Chunked Encoding vulnerability plugin. Perhaps your attack simply doesn't match the rule. a packet trace might help. sgt_b nyarlathothep@libero.it wrote: >Hello everyone, >I have a question about the use of the Snorts preprocessors: >I've installed Snort on a Linux box and I've tried from outside to do a APACHE >CHUNKED ENCODE (Bugtraq ID: 5033, CVE:). >Snort records in the database only the http_inspect data, so : (http_inspect) >OVERSIZE CHUNK ENCODING >but it dsnt activate the rules, one of those I think: > >web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS >(msg:"WEB-MISC Apache Chunked-Encoding worm attempt"; >flow:to_server,established; content:"CCCCCCC\: AAAAAAAAAAAAAAAAAAA"; nocase; >classtype:web-application-attack; reference:bugtraq,4474; >reference:cve,CAN-2002-0079;reference:bugtraq,5033; reference:cve,CAN-2002-0392; >sid:1809; rev:2;) > >web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS >(msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established; >content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase; >classtype:web-application-attack; reference:bugtraq,4474; >reference:cve,CAN-2002-0079; reference:bugtraq,5033; >reference:cve,CAN-2002-0392; sid:1807; rev:2;) > >web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS >(msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt"; >flow:established,to_server; content:"|C0 50 52 89 E1 50 51 52 50 B8 3B 00 00 00 >CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392; >classtype:web-application-activity; sid:1808; rev:3;) > > >In fact I need the rules, that show me the correct ref ID (bugtraq and so on) to >correlate the snort data with the VA. > >Could someone help me? I have to deactivate the preprocessor? > >Thanks , > >Matteo > > > > >------------------------------------------------------- >This SF.Net email is sponsored by Sleepycat Software >Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to >deliver higher performing products faster, at low TCO. >http://www.sleepycat.com/telcomwpreg.php?From=dnemail3 >_______________________________________________ >Snort-users mailing list >Snort-users@lists.sourceforge.net >Go to this URL to change user options or unsubscribe: >https://lists.sourceforge.net/lists/...fo/snort-users >Snort-users list archive: >http://www.geocrawler.com/redir-sf.php3?list=ort-users > > > > > ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
