[Snort-users] consensus on BASE

Discussion:

(too old to reply)

John Newman

2006-05-26 16:43:56 UTC

Is the consensus that BASE is the best web front-end for snort out ther
(and I mean free, open source stuff)? What are people's experience
with sguil (which I realize is not web based)

thanks

--
John Newma
Systems Administrator, WebXess Inc

------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications i
the hosting industry. Fanatical Support. Click to learn mor
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=12164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user

Drew Burchett

2006-05-27 11:21:08 UTC

Permalink

While I can agree with most of what was said here, I can see one flaw

with Sguil. I don't run any Linux boxes with a GUI frontend, and I

don't have the resources to load one just to run Sguil. I'm using BASE

to help fine tune Snort as it's good to help weed out false positives

and for a good running overview of what is happening in realtime. I

combine that with Snortalog for daily overviews of my data and then use

other programs to provide email and/or pager alerts on events that I

feel are important enough to draw my immediate attention.

I guess if BASE has one fatal flaw, there's no ability to see an IP

conversation that triggered an alert. For example, if you see an ATTACK

RESPONSE 403 FORBIDDEN alert, there's no good way to tell if it was

malicious or if some dummy just typed in the wrong URL.

Drew Burchett

United Systems & Software

http://www.united-systems.com

Phone: (270)527-3293

Fax: (270)527-3132

-----Original Message-----
Sent: Friday, May 26, 2006 12:54 PM
Subject: Re: [Snort-users] consensus on BASE

Post by John Newman
Is the consensus that BASE is the best web front-end for snort out

there

Post by John Newman
(and I mean free, open source stuff)? What are people's experiences
with sguil (which I realize is not web based).
thanks,

I think Base is probably the most popular open source front-end
(although I don't have any data to back that up.) It's certainly easy
to install and use. The problem with Base is that it gives you a
sliding window of your events data, which tends to obscure real-time
events from view unless they are large enough to draw attention (or

you

just happen to notice them._ So, it's good for summarizing what's

going

on, but not as good for real-time analysis of discrete events.
Sguil is very difficult to install. It requires quite a bit of
preparation and installation of ancilliary apps to make it work. (I'm
trying to solve that on FreeBSD by developing ports for it that take
care of all the dependencies.) That's a consequence of the decision

use tcl as the programming language, since it's not commonly installed
on most platforms. (It also uses some other apps which are not so
common; sancp, p0f, tcpdump
Once it's installed and configured (which is also a bit of work and
requires a clear understanding of what you're doing), it provides a
completely different, more detailed look at the data, in real time.
It's easy to pick out events that need immediate followup and drill

down

into packets to see what's really going on.
So, I would say, Base is good for folks new to snort and especially

new

to admining OSes, and sguil is good for folks who clearly understand
what they're doing and want as much information about events as they

can

get.
--
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or dis
tribution is prohibited. If you are not the intended recipient, please cont
act the sender by reply e-mail and destroy all copies of the original messa
ge.
--
This message has been scanned for viruses and dangerous content by MailScan
ner and is believed to be clean.

------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
_______________________________________________
Snort-users mailing list
Snort-***@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Bamm Visscher

2006-05-27 15:06:17 UTC

Permalink

The Sguil client runs fine on any OS that supports tcl. Using th
ActiveState [0] packages, it's actually easier to run the client o
Windows than it is Linux. ActiveState also has packages available fo
AIX, HP-UX, Linux, Mac OS X (both for PowerPC and x86), and Solaris
Here is an old post on Richard's TaoSecurity blog [1] that explain
the installation process

Bammkkk

[0] http://www.activestate.com/Products/ActiveTcl
[1] http://taosecurity.blogspot.com/2003/07/want-to-become-f8-monkey-my-fri
end.htm

Post by Drew Burchett
While I can agree with most of what was said here, I can see one fla
with Sguil. I don't run any Linux boxes with a GUI frontend, and
don't have the resources to load one just to run Sguil. I'm using BAS
to help fine tune Snort as it's good to help weed out false positive
and for a good running overview of what is happening in realtime.
combine that with Snortalog for daily overviews of my data and then us
other programs to provide email and/or pager alerts on events that
feel are important enough to draw my immediate attention
I guess if BASE has one fatal flaw, there's no ability to see an I
conversation that triggered an alert. For example, if you see an ATTAC
RESPONSE 403 FORBIDDEN alert, there's no good way to tell if it wa
malicious or if some dummy just typed in the wrong URL
Drew Burchet
United Systems & Softwar
http://www.united-systems.co
Phone: (270)527-329
Fax: (270)527-313

-----Original Message----
Sent: Friday, May 26, 2006 12:54 P
Subject: Re: [Snort-users] consensus on BAS

Post by John Newman
Is the consensus that BASE is the best web front-end for snort ou

ther

Post by John Newman
(and I mean free, open source stuff)? What are people's experience
with sguil (which I realize is not web based)
thanks

I think Base is probably the most popular open source front-en
(although I don't have any data to back that up.) It's certainly eas
to install and use. The problem with Base is that it gives you
sliding window of your events data, which tends to obscure real-tim
events from view unless they are large enough to draw attention (o

just happen to notice them._ So, it's good for summarizing what'

goin

on, but not as good for real-time analysis of discrete events
Sguil is very difficult to install. It requires quite a bit o
preparation and installation of ancilliary apps to make it work. (I'
trying to solve that on FreeBSD by developing ports for it that tak
care of all the dependencies.) That's a consequence of the decisio

use tcl as the programming language, since it's not commonly installe
on most platforms. (It also uses some other apps which are not s
common; sancp, p0f, tcpdum
Once it's installed and configured (which is also a bit of work an
requires a clear understanding of what you're doing), it provides
completely different, more detailed look at the data, in real time
It's easy to pick out events that need immediate followup and dril

dow

into packets to see what's really going on
So, I would say, Base is good for folks new to snort and especiall

to admining OSes, and sguil is good for folks who clearly understan
what they're doing and want as much information about events as the

get
-
Adjunct Information Security Office
The University of Texas at Dalla
http://www.utdallas.edu/ir/security

-
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, i

s for the sole use of the intended recipient(s) and may contain confidentia
l and privileged information. Any unauthorized review, use, disclosure or d
istribution is prohibited. If you are not the intended recipient, please co
ntact the sender by reply e-mail and destroy all copies of the original message.

Post by Drew Burchett
--
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642
_______________________________________________
Snort-users mailing list
https://lists.sourceforge.net/lists/listinfo/snort-users
http://www.geocrawler.com/redir-sf.php3?listsnort-users

--
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
_______________________________________________
Snort-users mailing list
Snort-***@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Michael Scheidell

2006-05-27 12:10:49 UTC

Permalink

-----Original Message----
Drew Burchet
Sent: Saturday, May 27, 2006 7:21 A
Subject: RE: [Snort-users] consensus on BAS
=2
I guess if BASE has one fatal flaw, there's no ability to see=2
an IP conversation that triggered an alert. For example, if=2
you see an ATTACK RESPONSE 403 FORBIDDEN alert, there's no=2
good way to tell if it was malicious or if some dummy just=2
typed in the wrong URL

Then there is no flaw in BASE, since it only records what snort gave it
NOTHING can tell you what cause the 403 error unless you also correlat
it to syslogs for the web server

(which you can do with base if you want to parse syslogs and send the
to base

I think BASE is great, except for the searching capibilities. They ar
really poor
That makes it hard to do anything but look at 'top 5' type events

--=2
Michael Scheidell, CT
561-999-5000, ext 113
SECNAP Network Security Corporatio
MediaPro web base privacy and security training
http://www.secnap.com/events.php?pg=1

------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications i
the hosting industry. Fanatical Support. Click to learn mor
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user

Bamm Visscher

2006-05-27 15:31:52 UTC

Permalink

I expect Drew was commenting more on the suite of tools that Sgui
uses. One of those tools is used to collect full content data. Wit
the full content logged, the analyst has the ability to quickl
retrieve all the logged packets and view [0] the reconstructe
session

Obviously BASE was never designed to do this. BASE is what I woul
call an 'alert browser'. That is not meant to be derogatory, it i
just what it has been designed to do and it can definately fullfil
the needs of many, especially those that adminster the systems an
networks their watching

Sguil was designed to support network security monitoring [1]. It'
benefit will be seen by those of us who are monitoring large network
and systems we don't control

There are other projects that attempt to correlate and prioritiz
various events using system logs, firewalls, audit info, etc. OSSI
[1] is one such project. Sguil is NOT a SIM [2,3]

Bammkkk

[0] http://sguil.sourceforge.net/images/0.6/sguil_transcript.pn
[1] http://www.taosecurity.com/books.html (TAO of Network Security Monitori
ng
[2] http://infosecpotpourri.blogspot.com/2006/01/sguil-is-not-sim.htm
[3] http://taosecurity.blogspot.com/2006/01/in-defense-of-david-bianco-id-l
ike-to.htm

Post by Michael Scheidell

-----Original Message----
Drew Burchet
Sent: Saturday, May 27, 2006 7:21 A
Subject: RE: [Snort-users] consensus on BAS
I guess if BASE has one fatal flaw, there's no ability to se
an IP conversation that triggered an alert. For example, i
you see an ATTACK RESPONSE 403 FORBIDDEN alert, there's n
good way to tell if it was malicious or if some dummy jus
typed in the wrong URL

Then there is no flaw in BASE, since it only records what snort gave it
NOTHING can tell you what cause the 403 error unless you also correlat
it to syslogs for the web server
(which you can do with base if you want to parse syslogs and send the
to base
I think BASE is great, except for the searching capibilities. They ar
really poor
That makes it hard to do anything but look at 'top 5' type events
-
Michael Scheidell, CT
561-999-5000, ext 113
SECNAP Network Security Corporatio
MediaPro web base privacy and security training
http://www.secnap.com/events.php?pg=1
------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications i
the hosting industry. Fanatical Support. Click to learn mor
http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat164
______________________________________________
Snort-users mailing lis
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?listsnort-user

--=2
sguil - The Analyst Console for NS
http://sguil.sf.ne

------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications i
the hosting industry. Fanatical Support. Click to learn mor
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user

John Hally

2006-06-01 12:22:16 UTC

Permalink

I run both BASE and commercial Aanval. Aanval is a very good console fo
the price($99/sensor) and has much more reporting features and such.

I agree w/the observations of sguil that it can be a pain to install.

-----Original Message----
From: snort-users-***@lists.sourceforge.ne
[mailto:snort-users-***@lists.sourceforge.net] On Behalf Of John Newma
Sent: Friday, May 26, 2006 12:44 P
To: snort-***@lists.sourceforge.ne
Subject: [Snort-users] consensus on BAS

Is the consensus that BASE is the best web front-end for snort out ther
(and I mean free, open source stuff)? What are people's experience
with sguil (which I realize is not web based)

thanks

--
John Newma
Systems Administrator, WebXess Inc

------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications i
the hosting industry. Fanatical Support. Click to learn mor
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=12164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user

------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications i
the hosting industry. Fanatical Support. Click to learn mor
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=12164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user

James Affeld

2006-06-02 02:38:20 UTC

Permalink

I love sguil. It makes it easy to get the informatio
you most often want, and possible to get the rest
and it scales to millions of events.

Send Snort-users mailing list submissions t
To subscribe or unsubscribe via the World Wide Web
visi

https://lists.sourceforge.net/lists/listinfo/snort-user

or, via email, send a message with subject or bod
'help' t
You can reach the person managing the list a
When replying, please edit your Subject line so i
is more specifi
than "Re: Contents of Snort-users digest...
Today's Topics
1. RE: consensus on BASE (John Hally
2. Snort In-Line on a Linux host running as
Bridge (Sam Evans
3. RE: [Snort-devel] Possible Evasion i
http_inspect (Joel Ebrahimi
--__--__-
Subject: RE: [Snort-users] consensus on BAS
Date: Thu, 1 Jun 2006 08:22:16 -0400
I run both BASE and commercial Aanval. Aanval is
very good console fo
the price($99/sensor) and has much more reportin
features and such.
I agree w/the observations of sguil that it can be
pain to install.
-----Original Message----
Behalf Of John Newma
Sent: Friday, May 26, 2006 12:44 P
Subject: [Snort-users] consensus on BAS
Is the consensus that BASE is the best web front-en
for snort out ther
(and I mean free, open source stuff)? What ar
people's experience
with sguil (which I realize is not web based)
thanks
--
John Newma
Systems Administrator, WebXess Inc

------------------------------------------------------

All the advantages of Linux Managed Hosting--Withou
the Cost and Risk
Fully trained technicians. The highest number of Re
Hat certifications i
the hosting industry. Fanatical Support. Click t
learn mor

http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=12164

______________________________________________
Snort-users mailing lis
Go to this URL to change user options o
unsubscribe

https://lists.sourceforge.net/lists/listinfo/snort-user

Snort-users list archive

http://www.geocrawler.com/redir-sf.php3?list=snort-user

--__--__-
Date: Thu, 1 Jun 2006 08:52:55 -060
Subject: [Snort-users] Snort In-Line on a Linux hos
running as a Bridg
All
I was wondering if anyone has any documentation o
using Snort In-Lin
on a Linux host acting as a bridge? I have neve
done this befor
(always use ip forwarding) but the project I am o
is requiring that
bridge
If anyone can point me in the right direction,
would appreciate it
Thx
Sa
--__--__-
Date: Thu, 1 Jun 2006 09:19:58 -070
Subject: [Snort-users] RE: [Snort-devel] Possibl
Evasion in http_inspec
This is a multi-part message in MIME format
------_=_NextPart_001_01C68597.3A19080
Content-Type: text/plain
charset="iso-8859-1
Content-Transfer-Encoding: quoted-printabl
It doesnt appear that the email I sent out prior t
this to both the
devel list and users list ever made it throug
entirely( I see it on the
marc mirror but I never got it sent to me and i
never seems to have
made it to users)
Since the bypass is trivial to implement I woul
hope that this patch
could get reviewed by the devel/user community asap
Reposting yesterdays message below

---------------------------------------------------------

A large scale Snort evasion has been discovered by
Blake Hartstein, a =
member of the Demarc Threat Research Team.
=20
The evasion technique allows an attack to bypass
detection of =
"uricontent" rules by adding a carriage return to
the end of a URL, =
directly before the HTTP protocol declaration.
=20
This affects thousands of rules in the standard
Snort base rule sets.
=20
Due to the seriousness of this vulnerability, we
have developed a =
working patch for public review. See below.
=20
This patch addresses the carriage return bug and
should catch the known =
evasion attempts but further research needs to be
done to determine if =
there are any other possible impacts of this bug.
The detection for =
evasion is turned on by default under all profiles
but can also be used =
=20
-----HTTP Inspect Server Configuration-----
=20
non_std_cr <yes|no>
=20
This option generates an alert when a non standard
carriage return =
character is detected in the URI. =20
=20
-----end-----
=20
More information including a pre-patched tarball, a
simple proof of =
concept, and a copy of this patch can be found at=20

http://www.demarc.com/support/downloads/patch_20060531

=20
With the release of this information we have also
released a fix to all =
our Sentarus customers. If your auto-updates are
turned on, then a patch =
and all related updates have already been applied,
or you can go into =
your Sentarus management console and request an
immediate update.
=20
=20
// Joel=20
=20
Joel Ebrahimi
Demarc Security, Inc.
http://www.demarc.com/
=20
=20
-----Patch for Snort-2.4.4--
=20
diff -Nuar

snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c

snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c

---

snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c

=
2005-03-16 13:52:18.000000000 -0800
+++

snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c

=
2006-05-30 22:54:44.000000000 -0700
@@ -40,6 +40,7 @@
=20
#define URI_END 1
#define NO_URI -1
+#define CR_IN_URI 18=20
#define INVALID_HEX_VAL -1
=20
/**
@@ -455,6 +456,11 @@
return URI_END;
}
=20
+ if(isspace(**ptr) )
+ {
+ return CR_IN_URI;
+ }
+
return NO_URI;
}
=20
@@ -1345,8 +1351,21 @@
*/
break;
}
+ else if(iRet =3D=3D CR_IN_URI)
+ {
+ =

if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))

+ {
+ =

hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,

+ NULL, NULL);
+ }
+ break;
+ }
+
+
+
else /* NO_URI */
{
+
/*
** Check for chunk encoding,
because the delimiter =
can
** also be a space, which
would look like a =
pipeline request
diff -Nuar =

snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c

snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=

---

snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c

=
2004-03-11 14:25:53.000000000 -0800
+++ =

snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=

2006-05-30 10:27:49.000000000 -0700
@@ -64,7 +64,9 @@
{HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
HI_EO_CLIENT_PROXY_USE_STR },
{HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
- HI_EO_CLIENT_WEBROOT_DIR_STR }
+ HI_EO_CLIENT_WEBROOT_DIR_STR },
+ { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
+ HI_EO_CLIENT_CR_IN_URI_STR },
};
=20
static HI_EVENT_INFO =
anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM]
=3D {
diff -Nuar =

snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h

snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h

---

snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h

=
2004-03-11 14:25:53.000000000 -0800
+++ =

snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h

=
2006-05-25 13:01:08.000000000 -0700
@@ -24,13 +24,14 @@
#define HI_EO_CLIENT_LARGE_CHUNK 15 /* done */
#define HI_EO_CLIENT_PROXY_USE 16 /* done */
#define HI_EO_CLIENT_WEBROOT_DIR 17 /* done */
+#define HI_EO_CLIENT_CR_IN_URI 18 /* done */
=20
/*
** Every time you add a client event, this number
must be
** incremented.
*/
-#define HI_EO_CLIENT_EVENT_NUM 18
+#define HI_EO_CLIENT_EVENT_NUM 19
=20
/*
** These defines are the alert names for each
event
@@ -71,6 +72,8 @@
"(http_inspect) UNAUTHORIZED PROXY USE
DETECTED"
#define HI_EO_CLIENT_WEBROOT_DIR_STR
\
"(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
+#define HI_EO_CLIENT_CR_IN_URI_STR
\
+ "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
=20
/*
** Anomalous Server Events
diff -Nuar =

snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h

snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h

---

snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h

=
2005-03-16 13:52:18.000000000 -0800
+++ =

snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h

=
2006-05-30 09:44:18.000000000 -0700
@@ -113,6 +113,7 @@
HTTPINSPECT_CONF_OPT webroot;
HTTPINSPECT_CONF_OPT apache_whitespace;
HTTPINSPECT_CONF_OPT iis_delimiter;
+ HTTPINSPECT_CONF_OPT non_std_cr;
=20
} HTTPINSPECT_CONF;
=20
diff -Nuar =

snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c

snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=

fig.c
--- =

snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c

=
2005-03-16 13:52:19.000000000 -0800
+++ =

snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=

fig.c 2006-05-30 23:00:25.000000000 -0700
@@ -117,6 +117,9 @@
=20
GlobalConf->global_server.non_strict =3D 1;
=20
+ GlobalConf->global_server.non_std_cr.on =3D 1;
+ GlobalConf->global_server.non_std_cr.alert =3D
1;
+
return HI_SUCCESS;
}
=20
@@ -209,6 +212,9 @@
=20
ServerConf->tab_uri_delimiter =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
@@ -279,6 +285,9 @@
=20
ServerConf->non_strict =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
@@ -349,6 +358,9 @@
=20
ServerConf->tab_uri_delimiter =3D 1;
=20
+ ServerConf->non_std_cr.on =3D 1;
+ ServerConf->non_std_cr.alert =3D 1;
+
return HI_SUCCESS;
}
=20
diff -Nuar
snort-2.4.4/src/preprocessors/snort_httpinspect.c =

snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c

---
snort-2.4.4/src/preprocessors/snort_httpinspect.c
2005-08-23 =
08:52:19.000000000 -0700
+++

snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c

2006-05-30 =
10:33:54.000000000 -0700
@@ -134,6 +134,7 @@
#define GLOBAL_ALERT "no_alerts"
#define WEBROOT "webroot"
#define TAB_URI_DELIMITER "tab_uri_delimiter"
+#define NON_STD_CR "non_std_cr"
=20
/*
** Alert subkeywords
@@ -1449,6 +1450,15 @@
return iRet;
}
}
+ else if(!strcmp(NON_STD_CR, pcToken))
+ {
+ ConfOpt =3D &ServerConf->non_std_cr;
+ if((iRet =3D ProcessConfOpt(ConfOpt,
NON_STD_CR,
+ ErrorString,
ErrStrLen)))
+ {
+ return iRet;
+ }
+ }
else if(!strcmp(IIS_BACKSLASH, pcToken))
{
ConfOpt =3D &ServerConf->iis_backslash;
@@ -1583,6 +1593,7 @@
PrintConfOpt(&ServerConf->webroot, "Web Root
Traversal");
PrintConfOpt(&ServerConf->apache_whitespace,
"Apache WhiteSpace");
PrintConfOpt(&ServerConf->iis_delimiter, "IIS
Delimiter");
+ PrintConfOpt(&ServerConf->non_std_cr, "Non-Std
Carriage Return");
=20
if(ServerConf->iis_unicode_map_filename)
{
=20
-----end-----
=20

-----Original Message-----

On Behalf Of=20

Jennifer Steffens
Sent: Wednesday, May 31, 2006 3:28 PM
Subject: [Snort-devel] Possible Evasion in

http_inspect

=20
Sourcefire is aware of a possible Snort evasion

that exists=20

in the http_inspect preprocessor. This evasion

case only=20

applies to protected Apache web servers. We have

prepared=20

fixes for both the 2.4 and 2.6 branches and will

have fully=20

tested releases, including binaries, available for

both on=20

Monday, June 5th.
=20
=20
=20
The Apache web server supports special characters

in HTTP=20

requests that do not affect the processing of the

particular=20

request. The current target-based profiles for

Apache in the=20

http_inspect preprocessor do not properly handle

these=20

requests, resulting in the possibility that an

attacker can=20

bypass detection of rules that use the

"uricontent" keyword=20

by embedding special characters in a HTTP request.
=20
=20
=20
It is important to note that this is an evasion

and not a=20

vulnerability.
This means that while it is possible for an

attacker to=20

bypass detection, Snort sensors and the networks

they protect=20

are not at a heightened risk of other attacks.
=20
=20
=20
Sourcefire has prepared fixes and is currently

finalizing a=20

complete round of testing to ensure that the fixes

not only=20

solve the issue at hand but do not create new bugs

as well.=20

The following releases, including binaries for

Linux and=20

Windows deployments, will be available on Monday,
=20
* Snort v2.4.5
* Snort v2.6.0 final
=20
=20
=20
Any questions regarding these releases can be sent

to=20

=20
Thanks,
Jennifer
=20
=20
--
Jennifer S. Steffens
Director, Product Management - Snort
Sourcefire - Security for the Real World
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org
=20
=20
=20
=20

=20
------_=_NextPart_001_01C68597.3A19080F
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type"
CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange
Server version =
6.5.7638.1">
<TITLE>RE: [Snort-devel] Possible Evasion in
http_inspect</TITLE>
</HEAD>
<BODY>

 
It doesnt appear that the email I
sent out prior to =
this to both the devel list and users list ever made
it through =
entirely( I see it on the marc mirror but I never
got it sent to me and =
it never seems to have made it to users). 
Since the bypass is trivial to implement I would
hope that this patch =
could get reviewed by the devel/user community
asap. 
Reposting yesterdays message below.

----------------------------------------------------------

A large scale Snort evasion has been discovered by
Blake Hartstein, a =
member of the Demarc Threat Research Team. 
 
The evasion technique allows an attack to bypass
detection of =
"uricontent" rules by adding a carriage
return to the end of a =
URL, directly before the HTTP protocol
declaration. 
 
This affects thousands of rules in the standard
Snort base rule =
sets. 
 
Due to the seriousness of this vulnerability, we
have developed a =
working patch for public review. See below. 
 
This patch addresses the carriage return bug and
should catch the known =
evasion attempts but further research needs to b
done to determine if
there are any other possible impacts of this bug
The detection for
evasion is turned on by default under all profile
but can also be used
as a server configuration option:<BR
<BR
-----HTTP Inspect Server Configuration-----<BR
<BR
<BR
This option generates an alert when a non standar
carriage return
character is detected in the URI. <BR
<BR
-----end-----<BR
<BR
<BR
More information including a pre-patched tarball,
simple proof of
concept, and a copy of this patch can be foun
at<BR
<A

HREF=3D"http://www.demarc.com/support/downloads/patch_20060531">http://ww

w.demarc.com/support/downloads/patch_20060531</A><BR

<BR
With the release of this information we have als
released a fix to all
our Sentarus customers. If your auto-updates ar
turned on, then a patch
and all related updates have already been applied
or you can go into
your Sentarus management console and request a
immediate update.<BR
<BR
<BR
// Joel<BR
<BR
 Joel Ebrahimi<BR
 Demarc Security, Inc.<BR
 <

HREF=3D"http://www.demarc.com/">http://www.demarc.com/</A><BR

<BR
<BR
<BR
-----Patch for Snort-2.4.4--<BR
<BR
diff -Nua

snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c<BR

snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.

2005-03-16 13:52:18.000000000 -0800<BR
++

snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.

2006-05-30 22:54:44.000000000 -0700<BR
@@ -40,6 +40,7 @@<BR
<BR
 #define URI_END  1<BR
 #define NO_URI  -1<BR
+#define CR_IN_URI 18<BR
 #define INVALID_HEX_VAL -1<BR
<BR
 /**<BR
@@ -455,6 +456,11 @@<BR
       &nbsp
return URI_END;<BR
     }<BR
<BR
+ if(isspace(**ptr) )<BR
+ {<BR
+  return CR_IN_URI;<BR
+ }<BR
+<BR
     return NO_URI;<BR
 }<BR
<BR
@@ -1345,8 +1351,21 @@<BR

nbsp;      &nbsp
*/<BR

nbsp;      &nbsp
break;<BR

nbsp;    }<BR
+  else if(iRet =3D=3D CR_IN_URI)<BR
+  {<BR

+        &nbsp
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))<BR

+        &nbsp

{<BR

hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,<BR

+            

            &

nbsp;        &nbsp

NULL,
NULL);<BR
+   }<BR
+   break;<BR
+  }<BR
+<BR
+<BR
+<BR

nbsp;    else /* NO_URI */<BR

nbsp;    {<BR
+<BR

nbsp;      &nbsp
/*<BR

nbsp;      &nbsp
**  Check for chunk
encoding, because the delimiter can<BR

nbsp;      &nbsp
**  also be a =
space, which would look like a pipeline request 
diff -Nuar =

snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c

snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=

---

snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c

=
2004-03-11 14:25:53.000000000 -0800 
+++ =

snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c=

2006-05-30 10:27:49.000000000 -0700 
@@ -64,7 +64,9 @@ 
     {HI_EO_CLIENT_PROXY_USE, =
HI_EO_LOW_PRIORITY, 
         =
HI_EO_CLIENT_PROXY_USE_STR }, 
     {HI_EO_CLIENT_WEBROOT_DIR,
=
HI_EO_HIGH_PRIORITY, 
-       
HI_EO_CLIENT_WEBROOT_DIR_STR =
} 
+       
HI_EO_CLIENT_WEBROOT_DIR_STR =
}, 
+    { HI_EO_CLIENT_CR_IN_URI,
HI_EO_MED_PRIORITY, 
+       
HI_EO_CLIENT_CR_IN_URI_STR =
}, 
 }; 
 
 static HI_EVENT_INFO =
anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM]
=3D { 
diff -Nuar =

snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h

snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h<B=

R>
---

snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h

=
2004-03-11 14:25:53.000000000 -0800 
+++ =

snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h

=
2006-05-25 13:01:08.000000000 -0700 
@@ -24,13 +24,14 @@ 
 #define
HI_EO_CLIENT_LARGE_CHUNK    15 
/* =
done */ 
 #define
HI_EO_CLIENT_PROXY_USE     
=
16  /* done */ 
 #define
HI_EO_CLIENT_WEBROOT_DIR    17 
/* =
done */ 
+#define
HI_EO_CLIENT_CR_IN_URI     
18  =
/* done */ 
 
 /* 
 **  IMPORTANT: 
 **  Every time you add a client event,
this number must =
be 
 **  incremented. 
 */ 
-#define
HI_EO_CLIENT_EVENT_NUM     
18 
+#define
HI_EO_CLIENT_EVENT_NUM     
19 
 
 /* 
 **  These defines are the alert names for
each event 
@@ -71,6 +72,8 @@ 
     "(http_inspect)
UNAUTHORIZED PROXY USE =
DETECTED" 
 #define =

HI_EO_CLIENT_WEBROOT_DIR_STR       &nb=
sp;           

=
\ 
     "(http_inspect)
WEBROOT DIRECTORY =
TRAVERSAL" 
+#define =

HI_EO_CLIENT_CR_IN_URI_STR       &nbsp=
;            =

\ 
+    "(http_inspect) NON-STD
CARRIAGE RETURN IN =
URI" 
 
 /* 
 **  Anomalous Server Events 
diff -Nuar =

snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h

snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h<B=

R>
---

snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h

=
2005-03-16 13:52:18.000000000 -0800 
+++ =

snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h

=
2006-05-30 09:44:18.000000000 -0700 
@@ -113,6 +113,7 @@ 
     HTTPINSPECT_CONF_OPT
webroot; 
     HTTPINSPECT_CONF_OPT
apache_whitespace; 
     HTTPINSPECT_CONF_OPT
iis_delimiter; 
+    HTTPINSPECT_CONF_OPT
non_std_cr; 
     
 }  HTTPINSPECT_CONF; 
 
diff -Nuar =

snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c

snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=

fig.c 
--- =

snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c

=
2005-03-16 13:52:19.000000000 -0800 
+++ =

snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_con=

fig.c 2006-05-30 23:00:25.000000000 -0700 
@@ -117,6 +117,9 @@ 
 
    
1; 
 
+   
1; 
+   
1; 
+ 
     return HI_SUCCESS; 
 } 
 
@@ -209,6 +212,9 @@ 
 
    
 
1; 
=3D 1; 
+ 
     return HI_SUCCESS; 
 } 
     
@@ -279,6 +285,9 @@ 
 
=3D 1; 
 
1; 
=3D 1; 
+ 
     return HI_SUCCESS; 
 } 
 
@@ -349,6 +358,9 @@ 
 
    
 
1; 
=3D 1; 
+ 
     return HI_SUCCESS; 
 } 
 
diff -Nuar
snort-2.4.4/src/preprocessors/snort_httpinspect.c =

snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c

---
snort-2.4.4/src/preprocessors/snort_httpinspect.c
2005-08-23 =
08:52:19.000000000 -0700 
+++

snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c

2006-05-30 =
10:33:54.000000000 -0700 
@@ -134,6 +134,7 @@ 
 #define
GLOBAL_ALERT      =
"no_alerts" 
 #define =

WEBROOT          

=
"webroot" 
 #define TAB_URI_DELIMITER
"tab_uri_delimiter" 
+#define NON_STD_CR   
"non_std_cr" 
 
 /* 
 **  Alert subkeywords 
@@ -1449,6 +1450,15 @@

nbsp;    return iRet;

=
} 
        
} 
+        else
if(!strcmp(NON_STD_CR, =
pcToken)) 
+        {

=
if((iRet =3D ProcessConfOpt(ConfOpt, NON_STD_CR,

+            =
            &=
nbsp;           &n=

bsp; ErrorString, ErrStrLen)))

=
{

+            =

return iRet;

=
} 
+        } 
        
else =
if(!strcmp(IIS_BACKSLASH, pcToken)) 
        
{

=
@@ -1583,6 +1593,7 @@ 
    
"Web Root Traversal"); 
     =
"Apache =
WhiteSpace"); 
    
"IIS Delimiter"); 
+   
"Non-Std Carriage Return"); 
 
    
     { 
 
 
-----end----- 
 
 
 
> -----Original Message----- 
> [<A =
> Jennifer Steffens 
> Sent: Wednesday, May 31, 2006 3:28 PM 
> Subject: [Snort-devel] Possible Evasion in
http_inspect 
> 
> Sourcefire is aware of a possible Snort evasion
that exists 
> in the http_inspect preprocessor.  This
evasion case only 
> applies to protected Apache web servers. We
have prepared 
> fixes for both the 2.4 and 2.6 branches and
will have fully 
> tested releases, including binaries, available
for both on 
> Monday, June 5th. 
> 
> 
> Evasion Details: 
> 
> The Apache web server supports special
characters in HTTP 
> requests that do not affect the processing of
the particular 
> request.  The current target-based
profiles for Apache in =
the 
> http_inspect preprocessor do not properly
handle these 
> requests, resulting in the possibility that an
attacker can 
> bypass detection of rules that use the
"uricontent" =
keyword 
> by embedding special characters in a HTTP
request. 
> 
> 
> Background Information: 
> 
> It is important to note that this is an evasion
and not a 
> vulnerability. 
> This means that while it is possible for an
attacker to 
> bypass detection, Snort sensors and the
networks they protect 
> are not at a heightened risk of other
attacks. 
> 
> 
> Timeline: 
> 
> Sourcefire has prepared fixes and is currently
finalizing a 
> complete round of testing to ensure that the
fixes not only 
> solve the issue at hand but do not create new
bugs as well. 
> The following releases, including binaries for
Linux and 
> Windows deployments, will be available on
Monday, June 5th: 
> 
> * Snort v2.4.5 
> * Snort v2.6.0 final 
> 
> 
> Questions: 
> 
> Any questions regarding these releases can be
sent to 
> 
> Thanks, 
> Jennifer 
> 
> 
> -- 
> Jennifer S. Steffens 
> Director, Product Management - Snort 
> Sourcefire - Security for the Real World 
> W: 410.423.1930 | C: 202.409.7707 
> www.sourcefire.com | www.snort.org 
> 
> 
> 
> 
 
 
 
 


</BODY>
</HTML>
------_=_NextPart_001_01C68597.3A19080F--
--__--__--
_______________________________________________
Snort-users mailing list

https://lists.sourceforge.net/lists/listinfo/snort-users

End of Snort-users Digest

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-***@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users