Here is the rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/";
isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809;
reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:6;)
Here is da breakdown (for those that are interested, l33t can ignore):
This rule finds the string "HTTP/" and then verifies that there are 6 bytes
after the string "HTTP/".
Then the rule sees that within 5 bytes of the string, that there is no new
line charater: content:!"|0A|";
Standard HTTP versions would have "HTTP/1.0.." where .. represents a
carriage return and a line feed "0D 0A".
However, this rule will trigger if the string "HTTP/" is anywhere in the
packet:
040 : 48 54 54 50 2F 53 20 43 6F 6D 70 6F 6E 65 6E 74 HTTP/S Component
I was thinking about maybe adding depth to check the initial HTTP version
but the GET request could be of any length. I am seeing if I can make a rule
to check the initial header and ignore all other HTTP/ strings. (nnposter
might have an idea :-)
This may be a case where you have to create a pass rule ahead of this rule
to pass that traffic.(of course someone on the list please jump in with a
better solution).
Shirkdog
From: Michael Schwartzkopff <misch@multinet.de>
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] False positive alert: sid:2570
Date: Tue, 26 Oct 2004 10:12:26 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is a false positive warning for rule 2570. The HTTP client IP*Works
from /n Software triggers this rule. Please see the HTTP client request and
the snort slert below:
-
-----------------------------------------------------------------------------
- - #(1 - 46198) [2004-10-26 00:47:41] nessus[bugtraq/9809] [snort/2570]
WEB-MISC Invalid HTTP Version String IPv4: 212.88.236.17 -> 80.146.208.29
hlen=5 TOS=0 dlen=161 ID=22603 flags=0 offset=0 TTL=113 chksum=53233
TCP: port=7088 -> dport: 80 flags=***AP*** seq=48490688
ack=4105714494 off=5 res=0 win=65535 urp=0 chksum=8205
Payload: length = 121
000 : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A GET / HTTP/1.0..
010 : 48 6F 73 74 3A 20 77 77 77 2E 6D 75 6C 74 69 6E Host: www.multin
020 : 65 74 2E 64 65 0D 0A 55 73 65 72 2D 41 67 65 6E et.de..User-Agen
030 : 74 3A 20 49 50 2A 57 6F 72 6B 73 21 20 56 35 20 t: IP*Works! V5
040 : 48 54 54 50 2F 53 20 43 6F 6D 70 6F 6E 65 6E 74 HTTP/S Component
050 : 20 2D 20 62 79 20 2F 6E 20 73 6F 66 74 77 61 72 - by /n softwar
060 : 65 20 2D 20 77 77 77 2E 6E 73 6F 66 74 77 61 72 e - www.nsoftwar
070 : 65 2E 63 6F 6D 0D 0A 0D 0A e.com....
- -------------------------------------------------------
- --
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn
Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBfgbvqndXpO3Yl5sRAn70AKCWooeNBzC+5f20Z6AyrM6XG+LQFQCgpdGi
xhRj8yLi0h9FQFiDrFpSEJM=
=OUna
-----END PGP SIGNATURE-----
_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
