[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    [Snort-devel] Snort Uricontent Bypass Vulnerability
From:       "Joel Ebrahimi" <jebrahimi () demarc ! com>
Date:       2006-05-31 15:51:23
Message-ID: 82D5657AE1F54347A734BDD33637C8790302BB7A () EXVS01 ! ex ! dslextreme ! net
[Download RAW message or body]

A large scale Snort evasion has been discovered by Blake Hartstein, a member of the \
Demarc Threat Research Team.  
The evasion technique allows an attack to bypass detection of "uricontent" rules by \
adding a carriage return to the end of a URL, directly before the HTTP protocol \
declaration.  
This affects thousands of rules in the standard Snort base rule sets.
 
Due to the seriousness of this vulnerability, we have developed a working patch for \
public review. See below.  
This patch addresses the carriage return bug and should catch the known evasion \
attempts but further research needs to be done to determine if there are any other \
possible impacts of this bug. The detection for evasion is turned on by default under \
all profiles but can also be used as a server configuration option:  
-----HTTP Inspect Server Configuration-----
 
non_std_cr <yes|no>
 
This option generates an alert when a non standard carriage return character is \
detected in the URI.    
-----end-----
 

More information including a pre-patched tarball, a simple proof of concept, and a \
copy of this patch can be found at  HYPERLINK \
"http://www.demarc.com/support/downloads/patch_20060531"http://www.demarc.com/support/downloads/patch_20060531
  
With the release of this information we have also released a fix to all our Sentarus \
customers. If your auto-updates are turned on, then a patch and all related updates \
have already been applied, or you can go into your Sentarus management console and \
request an immediate update.  
 
// Joel 
 
 Joel Ebrahimi
 Demarc Security, Inc.
 HYPERLINK "BLOCKED::mailto:jebrahimi@demarc.com"jebrahimi@demarc.com
 HYPERLINK "BLOCKED::http://www.demarc.com/"http://www.demarc.com/
 
 

-----Patch for Snort-2.4.4--
 
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c \
                snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
--- snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c 2005-03-16 \
                13:52:18.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c 2006-05-30 \
22:54:44.000000000 -0700 @@ -40,6 +40,7 @@
 
 #define URI_END  1
 #define NO_URI  -1
+#define CR_IN_URI 18 
 #define INVALID_HEX_VAL -1
 
 /**
@@ -455,6 +456,11 @@
         return URI_END;
     }
 
+ if(isspace(**ptr) )
+ {
+  return CR_IN_URI;
+ }
+
     return NO_URI;
 }
 
@@ -1345,8 +1351,21 @@
                     */
                     break;
                 }
+  else if(iRet == CR_IN_URI)
+  {
+          if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
+          {
+               hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
+                                   NULL, NULL);
+   }
+   break;
+  }
+
+
+
                 else /* NO_URI */
                 {
+
                     /*
                     **  Check for chunk encoding, because the delimiter can
                     **  also be a space, which would look like a pipeline request
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c \
                snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
                
--- snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2004-03-11 \
                14:25:53.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c \
2006-05-30 10:27:49.000000000 -0700 @@ -64,7 +64,9 @@
     {HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
         HI_EO_CLIENT_PROXY_USE_STR },
     {HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
-        HI_EO_CLIENT_WEBROOT_DIR_STR }
+        HI_EO_CLIENT_WEBROOT_DIR_STR },
+    { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
+        HI_EO_CLIENT_CR_IN_URI_STR },
 };
 
 static HI_EVENT_INFO anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = {
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h \
                snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
                
--- snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h 2004-03-11 \
                14:25:53.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h \
2006-05-25 13:01:08.000000000 -0700 @@ -24,13 +24,14 @@
 #define HI_EO_CLIENT_LARGE_CHUNK    15  /* done */
 #define HI_EO_CLIENT_PROXY_USE      16  /* done */
 #define HI_EO_CLIENT_WEBROOT_DIR    17  /* done */
+#define HI_EO_CLIENT_CR_IN_URI      18  /* done */
 
 /*
 **  IMPORTANT:
 **  Every time you add a client event, this number must be
 **  incremented.
 */
-#define HI_EO_CLIENT_EVENT_NUM      18
+#define HI_EO_CLIENT_EVENT_NUM      19
 
 /*
 **  These defines are the alert names for each event
@@ -71,6 +72,8 @@
     "(http_inspect) UNAUTHORIZED PROXY USE DETECTED"
 #define HI_EO_CLIENT_WEBROOT_DIR_STR                    \
     "(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
+#define HI_EO_CLIENT_CR_IN_URI_STR                       \
+    "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
 
 /*
 **  Anomalous Server Events
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h \
                snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
                
--- snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h 2005-03-16 \
                13:52:18.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h \
2006-05-30 09:44:18.000000000 -0700 @@ -113,6 +113,7 @@
     HTTPINSPECT_CONF_OPT webroot;
     HTTPINSPECT_CONF_OPT apache_whitespace;
     HTTPINSPECT_CONF_OPT iis_delimiter;
+    HTTPINSPECT_CONF_OPT non_std_cr;
     
 }  HTTPINSPECT_CONF;
 
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c \
                snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
                
--- snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c \
                2005-03-16 13:52:19.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c \
2006-05-30 23:00:25.000000000 -0700 @@ -117,6 +117,9 @@
 
     GlobalConf->global_server.non_strict = 1;
 
+    GlobalConf->global_server.non_std_cr.on = 1;
+    GlobalConf->global_server.non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
@@ -209,6 +212,9 @@
 
     ServerConf->tab_uri_delimiter = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
     
@@ -279,6 +285,9 @@
 
     ServerConf->non_strict = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
@@ -349,6 +358,9 @@
 
     ServerConf->tab_uri_delimiter = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
diff -Nuar snort-2.4.4/src/preprocessors/snort_httpinspect.c \
                snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
--- snort-2.4.4/src/preprocessors/snort_httpinspect.c 2005-08-23 08:52:19.000000000 \
                -0700
+++ snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c 2006-05-30 \
10:33:54.000000000 -0700 @@ -134,6 +134,7 @@
 #define GLOBAL_ALERT      "no_alerts"
 #define WEBROOT           "webroot"
 #define TAB_URI_DELIMITER "tab_uri_delimiter"
+#define NON_STD_CR    "non_std_cr"
 
 /*
 **  Alert subkeywords
@@ -1449,6 +1450,15 @@
                 return iRet;
             }
         }
+        else if(!strcmp(NON_STD_CR, pcToken))
+        {
+            ConfOpt = &ServerConf->non_std_cr;
+            if((iRet = ProcessConfOpt(ConfOpt, NON_STD_CR,
+                                      ErrorString, ErrStrLen)))
+            {
+                return iRet;
+            }
+        }
         else if(!strcmp(IIS_BACKSLASH, pcToken))
         {
             ConfOpt = &ServerConf->iis_backslash;
@@ -1583,6 +1593,7 @@
     PrintConfOpt(&ServerConf->webroot, "Web Root Traversal");
     PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace");
     PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter");
+    PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return");
 
     if(ServerConf->iis_unicode_map_filename)
     {
 

-----end-----


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.0/352 - Release Date: 5/30/2006
 


[Attachment #3 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1250">


<META content="MSHTML 6.00.2900.2873" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2>A large scale Snort evasion has been discovered by 
Blake Hartstein, a member of the Demarc Threat Research Team.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>The evasion technique allows an attack to bypass 
detection of "uricontent" rules by adding a carriage return to the end of a URL, 
directly before the HTTP protocol declaration.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>This affects thousands of rules in the standard 
Snort base rule sets.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Due to the seriousness of this vulnerability, we 
have developed a working patch for public review. See below.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>This patch addresses the carriage return bug and 
should catch the known evasion attempts but further research needs to be done to 
determine if there are any other possible impacts of this bug. The detection for 
evasion is turned on by default under all profiles but can also be used as a 
server configuration option:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>-----HTTP Inspect Server 
Configuration-----</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>non_std_cr&nbsp;&lt;yes|no&gt;</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>This option generates an alert when a non standard 
carriage return character is detected in the URI.&nbsp; </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>-----end-----</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><BR><FONT face=Arial><FONT size=2><SPAN class=384214015-31052006>More 
information including&nbsp;a</SPAN> pre-patched tarball,&nbsp;<SPAN 
class=384214015-31052006>a simple </SPAN>proof of concept, and a copy of this 
patch can be found at <BR></FONT></FONT><A 
href="http://www.demarc.com/support/downloads/patch_20060531"><FONT face=Arial 
size=2>http://www.demarc.com/support/downloads/patch_20060531</FONT></A></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>With the release of this information we have also 
released a fix to all our Sentarus customers. If your auto-updates are turned 
on, then a patch and all related updates have already been applied, or you can 
go into your Sentarus management console and request an immediate 
update.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV>
<DIV><SPAN class=634171415-31052006><FONT face=Arial size=2>// Joel 
</FONT></SPAN></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><SPAN class=634171415-31052006><FONT face=Arial size=2>&nbsp;Joel 
Ebrahimi</FONT></SPAN></DIV>
<DIV><FONT face=Arial size=2>&nbsp;Demarc Security, Inc.<BR>&nbsp;</FONT><A 
title=mailto:jebrahimi@demarc.com 
href="BLOCKED::mailto:jebrahimi@demarc.com"><FONT 
title=mailto:jebrahimi@demarc.com face=Arial 
size=2>jebrahimi@demarc.com</FONT></A><BR><FONT face=Arial 
size=2>&nbsp;</FONT><A title=http://www.demarc.com/ 
href="BLOCKED::http://www.demarc.com/"><FONT title=http://www.demarc.com/ 
face=Arial size=2>http://www.demarc.com/</FONT></A><BR><FONT face=Arial 
size=2>&nbsp;</FONT></DIV>
<DIV>&nbsp;</DIV></DIV>
<DIV><BR><FONT face=Arial size=2>-----Patch for Snort-2.4.4--</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>diff -Nuar 
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c<BR>--- 
snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c&nbsp;2005-03-16 
13:52:18.000000000 -0800<BR>+++ 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c&nbsp;2006-05-30 
22:54:44.000000000 -0700<BR>@@ -40,6 +40,7 @@<BR>&nbsp;<BR>&nbsp;#define 
URI_END&nbsp; 1<BR>&nbsp;#define NO_URI&nbsp; -1<BR>+#define CR_IN_URI 18 
<BR>&nbsp;#define INVALID_HEX_VAL -1<BR>&nbsp;<BR>&nbsp;/**<BR>@@ -455,6 +456,11 
@@<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return 
URI_END;<BR>&nbsp;&nbsp;&nbsp;&nbsp; }<BR>&nbsp;<BR>+&nbsp;if(isspace(**ptr) 
)<BR>+&nbsp;{<BR>+&nbsp;&nbsp;return 
CR_IN_URI;<BR>+&nbsp;}<BR>+<BR>&nbsp;&nbsp;&nbsp;&nbsp; return 
NO_URI;<BR>&nbsp;}<BR>&nbsp;<BR>@@ -1345,8 +1351,21 
@@<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
                
*/<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 break;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 }<BR>+&nbsp;&nbsp;else if(iRet == 
CR_IN_URI)<BR>+&nbsp;&nbsp;{<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
&nbsp;&nbsp;if(hi_eo_generate_event(Session,ServerConf-&gt;non_std_cr.alert))<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 &nbsp;&nbsp;{<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 &nbsp;&nbsp;&nbsp;hi_eo_client_event_log(Session,ServerConf-&gt;non_std_cr.alert,<BR> \
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;& \
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 NULL, 
NULL);<BR>+&nbsp;&nbsp;&nbsp;}<BR>+&nbsp;&nbsp;&nbsp;break;<BR>+&nbsp;&nbsp;}<BR>+<BR> \
+<BR>+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 else /* NO_URI 
*/<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 {<BR>+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 /*<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
                
**&nbsp; Check for chunk encoding, because the delimiter 
can<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
                
**&nbsp; also be a space, which would look like a pipeline request<BR>diff -Nuar 
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c<BR>--- 
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c&nbsp;2004-03-11 
14:25:53.000000000 -0800<BR>+++ 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c&nbsp;2006-05-30 \
 10:27:49.000000000 -0700<BR>@@ -64,7 +64,9 @@<BR>&nbsp;&nbsp;&nbsp;&nbsp; 
{HI_EO_CLIENT_PROXY_USE, 
HI_EO_LOW_PRIORITY,<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
HI_EO_CLIENT_PROXY_USE_STR },<BR>&nbsp;&nbsp;&nbsp;&nbsp; 
{HI_EO_CLIENT_WEBROOT_DIR, 
HI_EO_HIGH_PRIORITY,<BR>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
HI_EO_CLIENT_WEBROOT_DIR_STR }<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
HI_EO_CLIENT_WEBROOT_DIR_STR },<BR>+&nbsp;&nbsp;&nbsp; { HI_EO_CLIENT_CR_IN_URI, 
HI_EO_MED_PRIORITY,<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
HI_EO_CLIENT_CR_IN_URI_STR },<BR>&nbsp;};<BR>&nbsp;<BR>&nbsp;static 
HI_EVENT_INFO anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = {<BR>diff 
-Nuar snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h<BR>--- 
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h&nbsp;2004-03-11 
14:25:53.000000000 -0800<BR>+++ 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h&nbsp;2006-05-25 \
 13:01:08.000000000 -0700<BR>@@ -24,13 +24,14 @@<BR>&nbsp;#define 
HI_EO_CLIENT_LARGE_CHUNK&nbsp;&nbsp;&nbsp; 15&nbsp; /* done */<BR>&nbsp;#define 
HI_EO_CLIENT_PROXY_USE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 16&nbsp; /* done 
*/<BR>&nbsp;#define HI_EO_CLIENT_WEBROOT_DIR&nbsp;&nbsp;&nbsp; 17&nbsp; /* done 
*/<BR>+#define HI_EO_CLIENT_CR_IN_URI&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 18&nbsp; /* 
done */<BR>&nbsp;<BR>&nbsp;/*<BR>&nbsp;**&nbsp; IMPORTANT:<BR>&nbsp;**&nbsp; 
Every time you add a client event, this number must be<BR>&nbsp;**&nbsp; 
incremented.<BR>&nbsp;*/<BR>-#define 
HI_EO_CLIENT_EVENT_NUM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 18<BR>+#define 
HI_EO_CLIENT_EVENT_NUM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
19<BR>&nbsp;<BR>&nbsp;/*<BR>&nbsp;**&nbsp; These defines are the alert names for 
each event<BR>@@ -71,6 +72,8 @@<BR>&nbsp;&nbsp;&nbsp;&nbsp; "(http_inspect) 
UNAUTHORIZED PROXY USE DETECTED"<BR>&nbsp;#define 
HI_EO_CLIENT_WEBROOT_DIR_STR&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 \<BR>&nbsp;&nbsp;&nbsp;&nbsp; "(http_inspect) WEBROOT DIRECTORY 
TRAVERSAL"<BR>+#define 
HI_EO_CLIENT_CR_IN_URI_STR&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 \<BR>+&nbsp;&nbsp;&nbsp; "(http_inspect) NON-STD CARRIAGE RETURN IN 
URI"<BR>&nbsp;<BR>&nbsp;/*<BR>&nbsp;**&nbsp; Anomalous Server Events<BR>diff 
-Nuar snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h<BR>--- 
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h&nbsp;2005-03-16 
13:52:18.000000000 -0800<BR>+++ 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h&nbsp;2006-05-30 \
 09:44:18.000000000 -0700<BR>@@ -113,6 +113,7 @@<BR>&nbsp;&nbsp;&nbsp;&nbsp; 
HTTPINSPECT_CONF_OPT webroot;<BR>&nbsp;&nbsp;&nbsp;&nbsp; HTTPINSPECT_CONF_OPT 
apache_whitespace;<BR>&nbsp;&nbsp;&nbsp;&nbsp; HTTPINSPECT_CONF_OPT 
iis_delimiter;<BR>+&nbsp;&nbsp;&nbsp; HTTPINSPECT_CONF_OPT 
non_std_cr;<BR>&nbsp;&nbsp;&nbsp;&nbsp; <BR>&nbsp;}&nbsp; 
HTTPINSPECT_CONF;<BR>&nbsp;<BR>diff -Nuar 
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c<BR>--- \
 snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c&nbsp;2005-03-16 \
 13:52:19.000000000 -0800<BR>+++ 
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c&nbsp;2006-05-30 \
 23:00:25.000000000 -0700<BR>@@ -117,6 +117,9 
@@<BR>&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp; GlobalConf-&gt;global_server.non_strict 
= 1;<BR>&nbsp;<BR>+&nbsp;&nbsp;&nbsp; GlobalConf-&gt;global_server.non_std_cr.on 
= 1;<BR>+&nbsp;&nbsp;&nbsp; GlobalConf-&gt;global_server.non_std_cr.alert = 
1;<BR>+<BR>&nbsp;&nbsp;&nbsp;&nbsp; return 
HI_SUCCESS;<BR>&nbsp;}<BR>&nbsp;<BR>@@ -209,6 +212,9 
@@<BR>&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp; ServerConf-&gt;tab_uri_delimiter = 
1;<BR>&nbsp;<BR>+&nbsp;&nbsp;&nbsp; ServerConf-&gt;non_std_cr.on = 
1;<BR>+&nbsp;&nbsp;&nbsp; ServerConf-&gt;non_std_cr.alert = 
1;<BR>+<BR>&nbsp;&nbsp;&nbsp;&nbsp; return 
HI_SUCCESS;<BR>&nbsp;}<BR>&nbsp;&nbsp;&nbsp;&nbsp; <BR>@@ -279,6 +285,9 
@@<BR>&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp; ServerConf-&gt;non_strict = 
1;<BR>&nbsp;<BR>+&nbsp;&nbsp;&nbsp; ServerConf-&gt;non_std_cr.on = 
1;<BR>+&nbsp;&nbsp;&nbsp; ServerConf-&gt;non_std_cr.alert = 
1;<BR>+<BR>&nbsp;&nbsp;&nbsp;&nbsp; return 
HI_SUCCESS;<BR>&nbsp;}<BR>&nbsp;<BR>@@ -349,6 +358,9 
@@<BR>&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp; ServerConf-&gt;tab_uri_delimiter = 
1;<BR>&nbsp;<BR>+&nbsp;&nbsp;&nbsp; ServerConf-&gt;non_std_cr.on = 
1;<BR>+&nbsp;&nbsp;&nbsp; ServerConf-&gt;non_std_cr.alert = 
1;<BR>+<BR>&nbsp;&nbsp;&nbsp;&nbsp; return 
HI_SUCCESS;<BR>&nbsp;}<BR>&nbsp;<BR>diff -Nuar 
snort-2.4.4/src/preprocessors/snort_httpinspect.c 
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c<BR>--- 
snort-2.4.4/src/preprocessors/snort_httpinspect.c&nbsp;2005-08-23 
08:52:19.000000000 -0700<BR>+++ 
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c&nbsp;2006-05-30 
10:33:54.000000000 -0700<BR>@@ -134,6 +134,7 @@<BR>&nbsp;#define 
GLOBAL_ALERT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "no_alerts"<BR>&nbsp;#define 
WEBROOT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
"webroot"<BR>&nbsp;#define TAB_URI_DELIMITER "tab_uri_delimiter"<BR>+#define 
NON_STD_CR&nbsp;&nbsp;&nbsp; 
"non_std_cr"<BR>&nbsp;<BR>&nbsp;/*<BR>&nbsp;**&nbsp; Alert subkeywords<BR>@@ 
-1449,6 +1450,15 
@@<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 return 
iRet;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
}<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
}<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else if(!strcmp(NON_STD_CR, 
pcToken))<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
{<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ConfOpt 
= 
&amp;ServerConf-&gt;non_std_cr;<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 if((iRet = ProcessConfOpt(ConfOpt, 
NON_STD_CR,<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs \
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 ErrorString, 
ErrStrLen)))<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
{<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
 return 
iRet;<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
}<BR>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
}<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else 
if(!strcmp(IIS_BACKSLASH, 
pcToken))<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
{<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
ConfOpt = &amp;ServerConf-&gt;iis_backslash;<BR>@@ -1583,6 +1593,7 
@@<BR>&nbsp;&nbsp;&nbsp;&nbsp; PrintConfOpt(&amp;ServerConf-&gt;webroot, "Web 
Root Traversal");<BR>&nbsp;&nbsp;&nbsp;&nbsp; 
PrintConfOpt(&amp;ServerConf-&gt;apache_whitespace, "Apache 
WhiteSpace");<BR>&nbsp;&nbsp;&nbsp;&nbsp; 
PrintConfOpt(&amp;ServerConf-&gt;iis_delimiter, "IIS 
Delimiter");<BR>+&nbsp;&nbsp;&nbsp; PrintConfOpt(&amp;ServerConf-&gt;non_std_cr, 
"Non-Std Carriage Return");<BR>&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp; 
if(ServerConf-&gt;iis_unicode_map_filename)<BR>&nbsp;&nbsp;&nbsp;&nbsp; 
{</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><BR><FONT face=Arial size=2>-----end-----<BR></FONT></DIV></BODY></HTML>
<BR>

<P><FONT SIZE=2>--<BR>
No virus found in this outgoing message.<BR>
Checked by AVG Free Edition.<BR>
Version: 7.1.394 / Virus Database: 268.8.0/352 - Release Date: 5/30/2006<BR>
</FONT> </P>


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic