Bug #28
closedSpaces between content/uricontent: and "match" are not handled properly
Description
The engine does not properly parse sigs where a space exists between the content/uricontent: and the " to signify the pattern to match.
For example in Snort this is valid syntax
content: "foo";
Our engine can't deal with this. The attached pcap has the following http requests.
11/24/09-18:13:54.398293 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:13:51.504617 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:00.413505 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:12.445494 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:36.399206 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:15:24.414425 btg.btgrab.com [**] /a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1 [**] {2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110 [**] 192.168.2.7:1041 -> 208.75.250.50:80
The results from running with the following rules are below. As you can see we fail to alert on sigs where a space exists between content/uricontent: and the quote to begin the pattern to match against, but do alert where no space exists in the sigs.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin (Original Sig Fails to Fire)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001340; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF changed to content fails also)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; content: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001341; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001342; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; content:"adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001343; rev:9;)
11/24/09-18:13:51.504617 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:13:51.504617 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:13:54.398293 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:13:54.398293 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:00.413505 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:00.413505 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:36.399206 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:36.399206 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:12.445494 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:14:12.445494 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:15:24.414425 [**] [1:2001342:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
11/24/09-18:15:24.414425 [**] [1:2001343:9] ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works) [**] [Classification: fixme] [Priority: 3] {6} 192.168.2.7:1041 -> 208.75.250.50:80
Files
Updated by Victor Julien almost 15 years ago
- Assignee changed from OISF Dev to Victor Julien