I love sguil. It makes it easy to get the information
you most often want, and possible to get the rest -
and it scales to millions of events.
--- snort-users-request@lists.sourceforge.net wrote:
Send Snort-users mailing list submissions to
snort-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web,
visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body
'help' to
snort-users-request@lists.sourceforge.net
You can reach the person managing the list at
snort-users-admin@lists.sourceforge.net
When replying, please edit your Subject line so it
is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. RE: consensus on BASE (John Hally)
2. Snort In-Line on a Linux host running as a
Bridge (Sam Evans)
3. RE: [Snort-devel] Possible Evasion in
http_inspect (Joel Ebrahimi)
--__--__--
Message: 1
From: John Hally <JHally@epnet.com>
To: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] consensus on BASE
Date: Thu, 1 Jun 2006 08:22:16 -0400
I run both BASE and commercial Aanval. Aanval is a
very good console for
the price($99/sensor) and has much more reporting
features and such.
I agree w/the observations of sguil that it can be a
pain to install.
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On
Behalf Of John Newman
Sent: Friday, May 26, 2006 12:44 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] consensus on BASE
Is the consensus that BASE is the best web front-end
for snort out there
(and I mean free, open source stuff)? What are
people's experiences
with sguil (which I realize is not web based).
thanks,
--
John Newman
Systems Administrator, WebXess Inc.
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without
the Cost and Risk!
Fully trained technicians. The highest number of Red
Hat certifications in
the hosting industry. Fanatical Support. Click to
learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or
unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__--
Message: 2
Date: Thu, 1 Jun 2006 08:52:55 -0600
From: "Sam Evans" <wintrmte@gmail.com>
To: "snort-users @lists.sourceforge.net"
<snort-users@lists.sourceforge.net>
Subject: [Snort-users] Snort In-Line on a Linux host
running as a Bridge
All,
I was wondering if anyone has any documentation on
using Snort In-Line
on a Linux host acting as a bridge? I have never
done this before
(always use ip forwarding) but the project I am on
is requiring that I
bridge.
If anyone can point me in the right direction, I
would appreciate it.
Thx,
Sam
--__--__--
Message: 3
Date: Thu, 1 Jun 2006 09:19:58 -0700
From: "Joel Ebrahimi" <jebrahimi@demarc.com>
To: <snort-users@lists.sourceforge.net>
Subject: [Snort-users] RE: [Snort-devel] Possible
Evasion in http_inspect
This is a multi-part message in MIME format.
------_=_NextPart_001_01C68597.3A19080F
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
It doesnt appear that the email I sent out prior to
this to both the =
devel list and users list ever made it through
entirely( I see it on the =
marc mirror but I never got it sent to me and it
never seems to have =
made it to users).
Since the bypass is trivial to implement I would
hope that this patch =
could get reviewed by the devel/user community asap.
Reposting yesterdays message below.
----------------------------------------------------------
A large scale Snort evasion has been discovered by
Blake Hartstein, a =
member of the Demarc Threat Research Team.
=20
The evasion technique allows an attack to bypass
detection of =
"uricontent" rules by adding a carriage return to
the end of a URL, =
directly before the HTTP protocol declaration.
=20
This affects thousands of rules in the standard
Snort base rule sets.
=20
Due to the seriousness of this vulnerability, we
have developed a =
working patch for public review. See below.
=20
This patch addresses the carriage return bug and
should catch the known =
evasion attempts but further research needs to be
done to determine if =
there are any other possible impacts of this bug.
The detection for =
evasion is turned on by default under all profiles
but can also be used =
as a server configuration option:
=20
-----HTTP Inspect Server Configuration-----
=20
non_std_cr <yes|no>
=20
This option generates an alert when a non standard
carriage return =
character is detected in the URI. =20
=20
-----end-----
=20
More information including a pre-patched tarball, a
simple proof of =
concept, and a copy of this patch can be found at=20
http://www.demarc.com/support/downloads/patch_20060531
=20
With the release of this information we have also
released a fix to all =
our Sentarus customers. If your auto-updates are
turned on, then a patch =
and all related updates have already been applied,
or you can go into =
your Sentarus management console and request an
immediate update.
=20
=20
// Joel=20
=20
Joel Ebrahimi
Demarc Security, Inc.
jebrahimi@demarc.com
http://www.demarc.com/
=20
=20
-----Patch for Snort-2.4.4--
=20
diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
---
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
=
2005-03-16 13:52:18.000000000 -0800
+++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
=
2006-05-30 22:54:44.000000000 -0700
@@ -40,6 +40,7 @@
=20
#define URI_END 1
#define NO_URI -1
+#define CR_IN_URI 18=20
#define INVALID_HEX_VAL -1
=20
/**
@@ -455,6 +456,11 @@
return URI_END;
}
=20
+ if(isspace(**ptr) )
+ {
+ return CR_IN_URI;
+ }
+
return NO_URI;
}
=20
@@ -1345,8 +1351,21 @@
*/
break;
}
+ else if(iRet =3D=3D CR_IN_URI)
+ {
+ =
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
+ {
+ =
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
+ NULL, NULL);
+ }
+ break;
+ }
+
+
+
else /* NO_URI */
{
+
/*
** Check for chunk encoding,
because the delimiter =
can
** also be a space, which
would look like a =
pipeline request
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
---
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
=
2004-03-11 14:25:53.000000000 -0800
+++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
2006-05-30 10:27:49.000000000 -0700
@@ -64,7 +64,9 @@
{HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
HI_EO_CLIENT_PROXY_USE_STR },
{HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
- HI_EO_CLIENT_WEBROOT_DIR_STR }
+ HI_EO_CLIENT_WEBROOT_DIR_STR },
+ { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
+ HI_EO_CLIENT_CR_IN_URI_STR },
};
=20
static HI_EVENT_INFO =
anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM]
=3D {
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
2004-03-11 14:25:53.000000000 -0800
+++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
2006-05-25 13:01:08.000000000 -0700
@@ -24,13 +24,14 @@
#define HI_EO_CLIENT_LARGE_CHUNK 15 /* done */
#define HI_EO_CLIENT_PROXY_USE 16 /* done */
#define HI_EO_CLIENT_WEBROOT_DIR 17 /* done */
+#define HI_EO_CLIENT_CR_IN_URI 18 /* done */
=20
/*
** IMPORTANT:
** Every time you add a client event, this number
must be
** incremented.
*/
-#define HI_EO_CLIENT_EVENT_NUM 18
+#define HI_EO_CLIENT_EVENT_NUM 19
=20
/*
** These defines are the alert names for each
event
@@ -71,6 +72,8 @@
"(http_inspect) UNAUTHORIZED PROXY USE
DETECTED"
#define HI_EO_CLIENT_WEBROOT_DIR_STR
\
"(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
+#define HI_EO_CLIENT_CR_IN_URI_STR
\
+ "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
=20
/*
** Anomalous Server Events
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
2005-03-16 13:52:18.000000000 -0800
+++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
2006-05-30 09:44:18.000000000 -0700
@@ -113,6 +113,7 @@
HTTPINSPECT_CONF_OPT webroot;
HTTPINSPECT_CONF_OPT apache_whitespace;
HTTPINSPECT_CONF_OPT iis_delimiter;
+ HTTPINSPECT_CONF_OPT non_std_cr;
=20
} HTTPINSPECT_CONF;
=20
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c
--- =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
=
2005-03-16 13:52:19.000000000 -0800
+++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c 2006-05-30 23:00:25.000000000 -0700
@@ -117,6 +117,9 @@
=20
GlobalConf->global_server.non_strict =3D 1;
=20
+ GlobalConf->global_server.non_std_cr.on =3D 1;
+ GlobalConf->global_server.non_std_cr.alert =3D
1;
+
return HI_SUCCESS;
}
=20
@@ -209,6 +212,9 @@
=20
ServerConf->tab_uri_delimiter =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
@@ -279,6 +285,9 @@
=20
ServerConf->non_strict =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
@@ -349,6 +358,9 @@
=20
ServerConf->tab_uri_delimiter =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
diff -Nuar
snort-2.4.4/src/preprocessors/snort_httpinspect.c =
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
---
snort-2.4.4/src/preprocessors/snort_httpinspect.c
2005-08-23 =
08:52:19.000000000 -0700
+++
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
2006-05-30 =
10:33:54.000000000 -0700
@@ -134,6 +134,7 @@
#define GLOBAL_ALERT "no_alerts"
#define WEBROOT "webroot"
#define TAB_URI_DELIMITER "tab_uri_delimiter"
+#define NON_STD_CR "non_std_cr"
=20
/*
** Alert subkeywords
@@ -1449,6 +1450,15 @@
return iRet;
}
}
+ else if(!strcmp(NON_STD_CR, pcToken))
+ {
+ ConfOpt =3D &ServerConf->non_std_cr;
+ if((iRet =3D ProcessConfOpt(ConfOpt,
NON_STD_CR,
+ ErrorString,
ErrStrLen)))
+ {
+ return iRet;
+ }
+ }
else if(!strcmp(IIS_BACKSLASH, pcToken))
{
ConfOpt =3D &ServerConf->iis_backslash;
@@ -1583,6 +1593,7 @@
PrintConfOpt(&ServerConf->webroot, "Web Root
Traversal");
PrintConfOpt(&ServerConf->apache_whitespace,
"Apache WhiteSpace");
PrintConfOpt(&ServerConf->iis_delimiter, "IIS
Delimiter");
+ PrintConfOpt(&ServerConf->non_std_cr, "Non-Std
Carriage Return");
=20
if(ServerConf->iis_unicode_map_filename)
{
=20
-----end-----
=20
-----Original Message-----
From: snort-devel-admin@lists.sourceforge.net=20
[mailto:snort-devel-admin@lists.sourceforge.net]
On Behalf Of=20
Jennifer Steffens
Sent: Wednesday, May 31, 2006 3:28 PM
To: snort-devel@lists.sourceforge.net
Subject: [Snort-devel] Possible Evasion in
http_inspect
=20
Sourcefire is aware of a possible Snort evasion
that exists=20
in the http_inspect preprocessor. This evasion
case only=20
applies to protected Apache web servers. We have
prepared=20
fixes for both the 2.4 and 2.6 branches and will
have fully=20
tested releases, including binaries, available for
both on=20
Monday, June 5th.
=20
=20
Evasion Details:
=20
The Apache web server supports special characters
in HTTP=20
requests that do not affect the processing of the
particular=20
request. The current target-based profiles for
Apache in the=20
http_inspect preprocessor do not properly handle
these=20
requests, resulting in the possibility that an
attacker can=20
bypass detection of rules that use the
"uricontent" keyword=20
by embedding special characters in a HTTP request.
=20
=20
Background Information:
=20
It is important to note that this is an evasion
and not a=20
vulnerability.
This means that while it is possible for an
attacker to=20
bypass detection, Snort sensors and the networks
they protect=20
are not at a heightened risk of other attacks.
=20
=20
Timeline:
=20
Sourcefire has prepared fixes and is currently
finalizing a=20
complete round of testing to ensure that the fixes
not only=20
solve the issue at hand but do not create new bugs
as well.=20
The following releases, including binaries for
Linux and=20
Windows deployments, will be available on Monday,
June 5th:
=20
* Snort v2.4.5
* Snort v2.6.0 final
=20
=20
Questions:
=20
Any questions regarding these releases can be sent
to=20
snort-team@sourcefire.com.
=20
Thanks,
Jennifer
=20
=20
--
Jennifer S. Steffens
Director, Product Management - Snort
Sourcefire - Security for the Real World
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org
=20
=20
=20
=20
=20
------_=_NextPart_001_01C68597.3A19080F
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type"
CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange
Server version =
6.5.7638.1">
<TITLE>RE: [Snort-devel] Possible Evasion in
http_inspect</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=3D2>It doesnt appear that the email I
sent out prior to =
this to both the devel list and users list ever made
it through =
entirely( I see it on the marc mirror but I never
got it sent to me and =
it never seems to have made it to users).<BR>
Since the bypass is trivial to implement I would
hope that this patch =
could get reviewed by the devel/user community
asap.<BR>
Reposting yesterdays message below.<BR>
----------------------------------------------------------<BR>
<BR>
A large scale Snort evasion has been discovered by
Blake Hartstein, a =
member of the Demarc Threat Research Team.<BR>
<BR>
The evasion technique allows an attack to bypass
detection of =
"uricontent" rules by adding a carriage
return to the end of a =
URL, directly before the HTTP protocol
declaration.<BR>
<BR>
This affects thousands of rules in the standard
Snort base rule =
sets.<BR>
<BR>
Due to the seriousness of this vulnerability, we
have developed a =
working patch for public review. See below.<BR>
<BR>
This patch addresses the carriage return bug and
should catch the known =
evasion attempts but further research needs to be
done to determine if =
there are any other possible impacts of this bug.
The detection for =
evasion is turned on by default under all profiles
but can also be used =
as a server configuration option:<BR>
<BR>
-----HTTP Inspect Server Configuration-----<BR>
<BR>
non_std_cr <yes|no><BR>
<BR>
This option generates an alert when a non standard
carriage return =
character is detected in the URI. <BR>
<BR>
-----end-----<BR>
<BR>
<BR>
More information including a pre-patched tarball, a
simple proof of =
concept, and a copy of this patch can be found
at<BR>
<A =
HREF=3D"http://www.demarc.com/support/downloads/patch_20060531";>http://ww=
w.demarc.com/support/downloads/patch_20060531</A><BR>
<BR>
With the release of this information we have also
released a fix to all =
our Sentarus customers. If your auto-updates are
turned on, then a patch =
and all related updates have already been applied,
or you can go into =
your Sentarus management console and request an
immediate update.<BR>
<BR>
<BR>
// Joel<BR>
<BR>
Joel Ebrahimi<BR>
Demarc Security, Inc.<BR>
jebrahimi@demarc.com<BR>
<A
HREF=3D"http://www.demarc.com/";>http://www.demarc.com/</A><BR>
<BR>
<BR>
<BR>
-----Patch for Snort-2.4.4--<BR>
<BR>
diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c<BR>
---
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
=
2005-03-16 13:52:18.000000000 -0800<BR>
+++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
=
2006-05-30 22:54:44.000000000 -0700<BR>
@@ -40,6 +40,7 @@<BR>
<BR>
#define URI_END 1<BR>
#define NO_URI -1<BR>
+#define CR_IN_URI 18<BR>
#define INVALID_HEX_VAL -1<BR>
<BR>
/**<BR>
@@ -455,6 +456,11 @@<BR>
return URI_END;<BR>
}<BR>
<BR>
+ if(isspace(**ptr) )<BR>
+ {<BR>
+ return CR_IN_URI;<BR>
+ }<BR>
+<BR>
return NO_URI;<BR>
}<BR>
<BR>
@@ -1345,8 +1351,21 @@<BR>
&=
nbsp;
*/<BR>
&=
nbsp;
break;<BR>
&=
nbsp; }<BR>
+ else if(iRet =3D=3D CR_IN_URI)<BR>
+ {<BR>
+
=
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))<BR>
+
{<BR>
+ =
=
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,<BR>
+ =
&=
nbsp;
NULL, =
NULL);<BR>
+ }<BR>
+ break;<BR>
+ }<BR>
+<BR>
+<BR>
+<BR>
&=
nbsp; else /* NO_URI */<BR>
&=
nbsp; {<BR>
+<BR>
&=
nbsp;
/*<BR>
&=
nbsp;
** Check for chunk =
encoding, because the delimiter can<BR>
&=
nbsp;
** also be a =
space, which would look like a pipeline request<BR>
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
<BR>
---
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
=
2004-03-11 14:25:53.000000000 -0800<BR>
+++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=
2006-05-30 10:27:49.000000000 -0700<BR>
@@ -64,7 +64,9 @@<BR>
{HI_EO_CLIENT_PROXY_USE, =
HI_EO_LOW_PRIORITY,<BR>
=
HI_EO_CLIENT_PROXY_USE_STR },<BR>
{HI_EO_CLIENT_WEBROOT_DIR,
=
HI_EO_HIGH_PRIORITY,<BR>
-
HI_EO_CLIENT_WEBROOT_DIR_STR =
}<BR>
+
HI_EO_CLIENT_WEBROOT_DIR_STR =
},<BR>
+ { HI_EO_CLIENT_CR_IN_URI,
HI_EO_MED_PRIORITY,<BR>
+
HI_EO_CLIENT_CR_IN_URI_STR =
},<BR>
};<BR>
<BR>
static HI_EVENT_INFO =
anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM]
=3D {<BR>
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h<B=
R>
---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
2004-03-11 14:25:53.000000000 -0800<BR>
+++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
=
2006-05-25 13:01:08.000000000 -0700<BR>
@@ -24,13 +24,14 @@<BR>
#define
HI_EO_CLIENT_LARGE_CHUNK 15
/* =
done */<BR>
#define
HI_EO_CLIENT_PROXY_USE
=
16 /* done */<BR>
#define
HI_EO_CLIENT_WEBROOT_DIR 17
/* =
done */<BR>
+#define
HI_EO_CLIENT_CR_IN_URI
18 =
/* done */<BR>
<BR>
/*<BR>
** IMPORTANT:<BR>
** Every time you add a client event,
this number must =
be<BR>
** incremented.<BR>
*/<BR>
-#define
HI_EO_CLIENT_EVENT_NUM
18<BR>
+#define
HI_EO_CLIENT_EVENT_NUM
19<BR>
<BR>
/*<BR>
** These defines are the alert names for
each event<BR>
@@ -71,6 +72,8 @@<BR>
"(http_inspect)
UNAUTHORIZED PROXY USE =
DETECTED"<BR>
#define =
HI_EO_CLIENT_WEBROOT_DIR_STR &nb=
sp;
=
\<BR>
"(http_inspect)
WEBROOT DIRECTORY =
TRAVERSAL"<BR>
+#define =
HI_EO_CLIENT_CR_IN_URI_STR  =
; =
\<BR>
+ "(http_inspect) NON-STD
CARRIAGE RETURN IN =
URI"<BR>
<BR>
/*<BR>
** Anomalous Server Events<BR>
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h<B=
R>
---
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
2005-03-16 13:52:18.000000000 -0800<BR>
+++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
=
2006-05-30 09:44:18.000000000 -0700<BR>
@@ -113,6 +113,7 @@<BR>
HTTPINSPECT_CONF_OPT
webroot;<BR>
HTTPINSPECT_CONF_OPT
apache_whitespace;<BR>
HTTPINSPECT_CONF_OPT
iis_delimiter;<BR>
+ HTTPINSPECT_CONF_OPT
non_std_cr;<BR>
<BR>
} HTTPINSPECT_CONF;<BR>
<BR>
diff -Nuar =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
=
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c<BR>
--- =
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
=
2005-03-16 13:52:19.000000000 -0800<BR>
+++ =
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=
fig.c 2006-05-30 23:00:25.000000000 -0700<BR>
@@ -117,6 +117,9 @@<BR>
<BR>
GlobalConf->global_server.non_strict =3D =
1;<BR>
<BR>
+
GlobalConf->global_server.non_std_cr.on =3D =
1;<BR>
+
GlobalConf->global_server.non_std_cr.alert =3D =
1;<BR>
+<BR>
return HI_SUCCESS;<BR>
}<BR>
<BR>
@@ -209,6 +212,9 @@<BR>
<BR>
ServerConf->tab_uri_delimiter =3D 1;<BR>
<BR>
+ ServerConf->non_std_cr.on =3D
1;<BR>
+ ServerConf->non_std_cr.alert
=3D 1;<BR>
+<BR>
return HI_SUCCESS;<BR>
}<BR>
<BR>
@@ -279,6 +285,9 @@<BR>
<BR>
ServerConf->non_strict
=3D 1;<BR>
<BR>
+ ServerConf->non_std_cr.on =3D
1;<BR>
+ ServerConf->non_std_cr.alert
=3D 1;<BR>
+<BR>
return HI_SUCCESS;<BR>
}<BR>
<BR>
@@ -349,6 +358,9 @@<BR>
<BR>
ServerConf->tab_uri_delimiter =3D 1;<BR>
<BR>
+ ServerConf->non_std_cr.on =3D
1;<BR>
+ ServerConf->non_std_cr.alert
=3D 1;<BR>
+<BR>
return HI_SUCCESS;<BR>
}<BR>
<BR>
diff -Nuar
snort-2.4.4/src/preprocessors/snort_httpinspect.c =
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c<BR>
---
snort-2.4.4/src/preprocessors/snort_httpinspect.c
2005-08-23 =
08:52:19.000000000 -0700<BR>
+++
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
2006-05-30 =
10:33:54.000000000 -0700<BR>
@@ -134,6 +134,7 @@<BR>
#define
GLOBAL_ALERT =
"no_alerts"<BR>
#define =
WEBROOT
=
"webroot"<BR>
#define TAB_URI_DELIMITER
"tab_uri_delimiter"<BR>
+#define NON_STD_CR
"non_std_cr"<BR>
<BR>
/*<BR>
** Alert subkeywords<BR>
@@ -1449,6 +1450,15 @@<BR>
&=
nbsp; return iRet;<BR>
=
}<BR>
}<BR>
+ else
if(!strcmp(NON_STD_CR, =
pcToken))<BR>
+ {<BR>
+
=
ConfOpt =3D &ServerConf->non_std_cr;<BR>
+
=
if((iRet =3D ProcessConfOpt(ConfOpt, NON_STD_CR,<BR>
+ =
&=
nbsp; &n=
bsp; ErrorString, ErrStrLen)))<BR>
+
=
{<BR>
+ =
return iRet;<BR>
+
=
}<BR>
+ }<BR>
else =
if(!strcmp(IIS_BACKSLASH, pcToken))<BR>
{<BR>
=
ConfOpt =3D &ServerConf->iis_backslash;<BR>
@@ -1583,6 +1593,7 @@<BR>
PrintConfOpt(&ServerConf->webroot, =
"Web Root Traversal");<BR>
=
PrintConfOpt(&ServerConf->apache_whitespace,
"Apache =
WhiteSpace");<BR>
PrintConfOpt(&ServerConf->iis_delimiter, =
"IIS Delimiter");<BR>
+
PrintConfOpt(&ServerConf->non_std_cr, =
"Non-Std Carriage Return");<BR>
<BR>
if(ServerConf->iis_unicode_map_filename)<BR>
{<BR>
<BR>
<BR>
-----end-----<BR>
<BR>
<BR>
<BR>
> -----Original Message-----<BR>
> From:
snort-devel-admin@lists.sourceforge.net<BR>
> [<A =
HREF=3D"mailto:snort-devel-admin@lists.sourceforge.net";>mailto:snort-deve=
l-admin@lists.sourceforge.net</A>] On Behalf Of<BR>
> Jennifer Steffens<BR>
> Sent: Wednesday, May 31, 2006 3:28 PM<BR>
> To: snort-devel@lists.sourceforge.net<BR>
> Subject: [Snort-devel] Possible Evasion in
http_inspect<BR>
><BR>
> Sourcefire is aware of a possible Snort evasion
that exists<BR>
> in the http_inspect preprocessor. This
evasion case only<BR>
> applies to protected Apache web servers. We
have prepared<BR>
> fixes for both the 2.4 and 2.6 branches and
will have fully<BR>
> tested releases, including binaries, available
for both on<BR>
> Monday, June 5th.<BR>
><BR>
><BR>
> Evasion Details:<BR>
><BR>
> The Apache web server supports special
characters in HTTP<BR>
> requests that do not affect the processing of
the particular<BR>
> request. The current target-based
profiles for Apache in =
the<BR>
> http_inspect preprocessor do not properly
handle these<BR>
> requests, resulting in the possibility that an
attacker can<BR>
> bypass detection of rules that use the
"uricontent" =
keyword<BR>
> by embedding special characters in a HTTP
request.<BR>
><BR>
><BR>
> Background Information:<BR>
><BR>
> It is important to note that this is an evasion
and not a<BR>
> vulnerability.<BR>
> This means that while it is possible for an
attacker to<BR>
> bypass detection, Snort sensors and the
networks they protect<BR>
> are not at a heightened risk of other
attacks.<BR>
><BR>
><BR>
> Timeline:<BR>
><BR>
> Sourcefire has prepared fixes and is currently
finalizing a<BR>
> complete round of testing to ensure that the
fixes not only<BR>
> solve the issue at hand but do not create new
bugs as well.<BR>
> The following releases, including binaries for
Linux and<BR>
> Windows deployments, will be available on
Monday, June 5th:<BR>
><BR>
> * Snort v2.4.5<BR>
> * Snort v2.6.0 final<BR>
><BR>
><BR>
> Questions:<BR>
><BR>
> Any questions regarding these releases can be
sent to<BR>
> snort-team@sourcefire.com.<BR>
><BR>
> Thanks,<BR>
> Jennifer<BR>
><BR>
><BR>
> --<BR>
> Jennifer S. Steffens<BR>
> Director, Product Management - Snort<BR>
> Sourcefire - Security for the Real World<BR>
> W: 410.423.1930 | C: 202.409.7707<BR>
> www.sourcefire.com | www.snort.org<BR>
><BR>
><BR>
><BR>
><BR>
<BR>
<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C68597.3A19080F--
--__--__--
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
