[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] FP: COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host ..
From: "Chich Thierry" <thierry.chich () ac-clermont ! fr>
Date: 2006-04-19 9:43:51
Message-ID: 200604191143.51176.thierry.chich () ac-clermont ! fr
[Download RAW message or body]
Hi,
I have a lot of false positive with the rule 100000170.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY
WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host
Parameter"; flow:to_server,established; content:"Host"; nocase;
pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; ...)
As I understand this rule, it try to find packet that begin by Host followed
by 100 chars that are not in \r\n (0d 0a). In the following trace, it doesn't
work. I don't understand why, since there is a beautiful 0d 0a after the host
name, and there is no "host.*" in the name of the host
0x0020: xxxx xxxx xxxxx xxxx xxxxx xxxx 2f63 7264 P...r...GET./crd
0x0030: 702f 5465 7874 652e 6874 6d20 4854 5450 p/Texte.htm.HTTP
0x0040: 2f31 2e31 0d0a 4163 6365 7074 3a20 696d /1.1..Accept:.im
0x0050: 6167 652f 6769 662c 2069 6d61 6765 2f78 age/gif,.image/x
0x0060: 2d78 6269 746d 6170 2c20 696d 6167 652f -xbitmap,.image/
0x0070: 6a70 6567 2c20 696d 6167 652f 706a 7065 jpeg,.image/pjpe
0x0080: 672c 2061 7070 6c69 6361 7469 6f6e 2f78 g,.application/x
0x0090: 2d73 686f 636b 7761 7665 2d66 6c61 7368 -shockwave-flash
0x00a0: 2c20 6170 706c 6963 6174 696f 6e2f 766e ,.application/vn
0x00b0: 642e 6d73 2d65 7863 656c 2c20 6170 706c d.ms-excel,.appl
0x00c0: 6963 6174 696f 6e2f 766e 642e 6d73 2d70 ication/vnd.ms-p
0x00d0: 6f77 6572 706f 696e 742c 2061 7070 6c69 owerpoint,.appli
0x00e0: 6361 7469 6f6e 2f6d 7377 6f72 642c 2061 cation/msword,.a
0x00f0: 7070 6c69 6361 7469 6f6e 2f78 2d67 7361 pplication/x-gsa
0x0100: 7263 6164 652d 6c61 756e 6368 2c20 6170 rcade-launch,.ap
0x0110: 706c 6963 6174 696f 6e2f 782d 6963 712c plication/x-icq,
0x0120: 202a 2f2a 0d0a 5265 6665 7265 723a 2068 .*/*..Referer:.h
0x0130: 7474 703a 2f2f xxxx xxxx xxxxx xxxx xxxx ttp://xxxx.xxxxx
0x0140: xxxx xxxx xxxxx xxxx xxxx xxxx xxxx 2f69 xxxx.xx/xxxxx/i
0x0150: 6e64 6578 2e68 746d 6c0d 0a41 6363 6570 ndex.html..Accep
0x0160: 742d 4c61 6e67 7561 6765 3a20 6465 0d0a t-Language:.de..
0x0170: 4163 6365 7074 2d45 6e63 6f64 696e 673a Accept-Encoding:
0x0180: 2067 7a69 702c 2064 6566 6c61 7465 0d0a .gzip,.deflate..
0x0190: 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent:.Mozi
0x01a0: 6c6c 612f 342e 3020 2863 6f6d 7061 7469 lla/4.0.(compati
0x01b0: 626c 653b 204d 5349 4520 362e 303b 2057 ble;.MSIE.6.0;.W
0x01c0: 696e 646f 7773 204e 5420 352e 313b 2053 indows.NT.5.1;.S
0x01d0: 5631 3b20 2e4e 4554 2043 4c52 2031 2e31 V1;..NET.CLR.1.1
0x01e0: 2e34 3332 3229 0d0a 486f 7374 3a20 6372 .4322)..Host:.xx
0x01f0: xxxx xxxx xxxx xxxxx xxxxx xxxxx xxxx xxxxx xx.xxxxxxxxxxx.x
0x0200: xx0d 0a43 6f6e 6e65 6374 696f 6e3a 204b x..Connection:.K
0x0210: 6565 702d 416c 6976 650d 0a0d 0a eep-Alive....
Just a question. Is there a good reason to limit the size to 100 ? The RFC
1034 is limiting the size of an hostname to 254.
Thierry.
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic