Situation: There are some attacks where the attacker sends an invalid HTTP packet that has a mismatched content size to actual content size. I need to write a Snort rule to fish out such packets
Problem: As far as I know, Snort does not allow the users to define rulesets using Snort variables/values (such as "dsize"). An example of what I wanted to do is as below:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (\
msg:"mismatched HTTP header content size vs actual content size"; \
offset: *to http header content field*; \
byte_test: *length of field of content*, !=, dsize; \
gid: 1; sid:1000001;)
Question: I am quite aware that the above will not work. Is there a way to achieve said purpose using a Snort rule?
Additional Information 1: I am using Snort 2
Additional Information 2: Is there a scripting (other than LUA) that Snort 2 can support?
Additional Information 3: I am aware that the http preprocessor exists, but have no idea how to get it to work properly. If you were to suggest using the preprocessor, would you point me in the right direction?
The short answer is "No."
The longer answer is, yes, you could write a plugin for this type of detection. The plugin framework might seem daunting at first, but you can pretty easily extract the content size field from the request and then check that against the size of the actual data content. This is an ideal detection situation for a plugin. Just make sure that you bail out quickly whenever your plugin realizes that the packet it's analyzing isn't one that it cares about. For example, not only limiting your plugin to watching port 80, but also only examining packets that contain HTTP headers in them.