'[arachNIDS] Re: [Snort-users] on rules and http preprocessor (a comment)'


List:       arachnids
Subject:    [arachNIDS] Re: [Snort-users] on rules and http preprocessor (a comment)
From:       Max Vision <vision () whitehats ! com>
Date:       2000-10-09 8:55:02
[Download RAW message or body]

On Mon, 9 Oct 2000, Fyodor wrote:
> By the way just was testing snort rules and noticed that snort doesn't
> trigger alert if you have a rule saying `content: "%20%2e.blah"', and
> have an http preprocessor enabled. instead you will have to use
> `content: |20 2e|.blah' or something... but as you see it will also
> match a packet which contained ` ..blah' data f.e. In most cases it
> would be the same but some rules are looking for %2e%2e%2e packets
> explictly.. for this case we will have to thing of the way around, if
> possible..
> Any thoughts would be welcome of course ;-)
> 

There are a few approaches to this problem - one is simply to pattern
match for whatever the %## url-encoded string represents.  But if you want
to look for something containing the percent sign you can just use |25| to
get a literal match.

For example to match "%20%2e.blah" with the http preprocessor active you
could just replace the string with " ..blah", or if you specifically
wanted to catch the fact that someone used a url-encoding attack against
you, then "|25|20|25|2e.blah" would do the trick.

Max Vision
http://whitehats.com/
Configure | About | News | Add a list | Sponsored by KoreLogic