Options
Rule only works as PCRE... why?
carboncopy
Member Posts: 259
in Off-Topic
Basically this is a pretty simple rule created to detect when a password goes over HTTP in clear-text. I know there is better ways to write it, but I needed to keep it simple in order to try and figure it out.
The rule not using PCRE is not giving me an alert, when I know for a fact that the word "password" is in the payload of the packet. When I tried the same rule, but using PCRE instead, I was able to get an alert. Could someone please help me figure this out.
Non-PCRE
alert tcp 192.168.1.105 any -> $EXTERNAL_NET 80 (msg:"HTTP Cleartext Password Transmitted"; content:"password"; sid:5000009; )
PCRE
alert tcp 192.168.1.105 any -> $EXTERNAL_NET 80 (msg:"HTTP Cleartext Password Transmitted"; pcre:"/password/"; sid:5000010; )
This is where the Rule should be triggering on password:
base=https&address=This&password=That&Login=Login&m=
This is the stream:
POST /mail/index.bml HTTP/1.1
Host: www.startlogic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b9) Gecko/20100101 Firefox/4.0b9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.startlogic.com/mail/index.bml
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
base=https&address=This&password=That&Login=Login&m=
The rule not using PCRE is not giving me an alert, when I know for a fact that the word "password" is in the payload of the packet. When I tried the same rule, but using PCRE instead, I was able to get an alert. Could someone please help me figure this out.
Non-PCRE
alert tcp 192.168.1.105 any -> $EXTERNAL_NET 80 (msg:"HTTP Cleartext Password Transmitted"; content:"password"; sid:5000009; )
PCRE
alert tcp 192.168.1.105 any -> $EXTERNAL_NET 80 (msg:"HTTP Cleartext Password Transmitted"; pcre:"/password/"; sid:5000010; )
This is where the Rule should be triggering on password:
base=https&address=This&password=That&Login=Login&m=
This is the stream:
POST /mail/index.bml HTTP/1.1
Host: www.startlogic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b9) Gecko/20100101 Firefox/4.0b9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.startlogic.com/mail/index.bml
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
base=https&address=This&password=That&Login=Login&m=
Comments
-
Optionscarboncopy
Member Posts: 259
Well I figured it out. In case anyone wants to know, the rule looks like this now.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"HTTP Cleartext Password Transmitted"; content:"POST"; content:"x-www-form-urlencoded"; content:"password="; http_client_body; sid:5000009;)
I was missing the "http_client_body" in the rule.