readme.http_inspect

This is the snapshot of Snot Latest Rules

* non_rfc_char { [byte] [0x00] . . . } *
This option lets users receive an alert if certain non-RFC chars are used in
a request URI.  For instance, a user may not want to see NULL bytes in the
request-URI and we can give an alert on that.  Please use this option with
care, because you could configure it to say, alert on all '/' or something
like that.  It's flexible, so be careful.

* multi_slash [yes/no] *
This option normalizes multiple slashes in a row, so something like:
"foo/////////bar" get normalized to "foo/bar".

If you want an alert when multiple slashes are seen, then configure with a yes,
otherwise a no.

* iis_backslash [yes/no] *
Normalize backslashes to slashes.  This is again an IIS emulation.  So a
request-URI of "/foo\bar" gets normalized to "/foo/bar".

* directory [yes/no] *
This option normalizes directory traversals and self-referential directories.
So, "/foo/this_is_not_a_real_dir/../bar" get normalized to "/foo/bar".  Also,
"/foo/./bar" gets normalized to "/foo/bar".  If a user wants to configure an
alert, then specify "yes", otherwise "no".  This alert may give false positives
since some web sites refer to files using directory traversals.

* apache_whitespace [yes/no] *
This option deals with non-RFC standard of tab or carriage return for a space
delimiter, as well as any characters defined with the "whitespace_chars" option.
Apache accepts these characters as whitespace, so if the emulated web server is
Apache you need to enable this option.  Alerts on this option may be interesting,
but may also be false positive prone.

* whitespace_chars { [byte] [0x00 . . . } *
This option lets users define characters that will be accepted as whitespace
before and after a URI (e.g. GET<whitespace>/index.html<whitespace>HTTP/1.0).
The default values are 0x09, 0x0B, 0x0C and 0x0D.  The characters defined with
this option are in addition to the default values.  As an example, if a user
wants to add the backspace char 0x08, this option should look like:
whitespace_chars { 0x08 }.

* iis_delimiter [yes/no] *
I originally started out with \n being IIS specific, but Apache takes this
non-standard delimiter was well.  Since this is common, we always take this 
as standard since the most popular web servers accept it.  But you can still
get an alert on this option.

* chunk_length [non-zero positive integer] *
This option is an anomaly detector for abnormally large chunk sizes.  This picks
up the apache chunk encoding exploits, and may also alert on HTTP tunneling that
uses chunk encoding.

* no_pipeline_req *
This option turns HTTP pipeline decoding off, and is a performance enhancement
if needed.  By default pipeline requests are inspected for attacks, but when
this option is enabled, pipeline requests are not decoded and analyzed per HTTP
protocol field.  It is only inspected with the generic pattern matching.

* non_strict *
This option turns on non-strict URI parsing for the broken way in which
Apache servers will decode a URI.  Only use this option on servers that will
accept URIs like this "GET /index.html alsjdfk alsj lj aj  la jsj s\n".  The
non_strict option assumes the URI is between the first and second space
even if there is no valid HTTP identifier after the second space.

* allow_proxy_use *
By specifying this keyword, the user is allowing proxy use on this server.
This means that no alert will be generated if the proxy_alert global keyword
has been used.  If the proxy_alert keyword is not enabled, then this option
does nothing.  The allow_proxy_use keyword is just a way to suppress 
unauthorized proxy use for an authorized server.  

* no_alerts *
This option turns off all alerts that are generated by the HttpInspect
preprocessor module.  This has no effect on http rules in the ruleset.
No argument is specified.

* oversize_dir_length [non-zero positive integer] *
This option takes a non-zero positive integer as an argument.  The
argument specifies the max char directory length for URL directory.  If a 
URL directory is larger than this argument size, an alert is generated.  
A good argument value is 300 chars.  This should limit the alerts
to IDS evasion type attacks, like whisker -I 4.

* inspect_uri_only *
This is a performance optimization.  When enabled, only the URI portion of HTTP
requests will be inspected for attacks.  As this field usually contains 90-95%
of the web attacks, you'll catch most of the attacks.  So if you need extra
performance, then enable this optimization.  It's important to note that
if this option is used without any uricontent rules, then no inspection will
take place.  This is obvious since the uri is only inspected with uricontent
rules, and if there are none available then there is nothing to inspect.

For example, if we have the following rule set:

alert tcp any any -> any 80 ( msg:"content"; content: "foo"; )

and then we inspect the following URI:

GET /foo.htm HTTP/1.0\r\n\r\n

No alert will be generated when 'inspect_uri_only' is enabled.  The 
'inspect_uri_only' configuration turns off all forms of detection except 
uricontent inspection.

* webroot *
This option generates an alert when a directory traversal traverses past
the web server root directory.  This generates much less false positives than 
the directory option, because it doesn't alert on directory traversals that 
stay within the web server directory structure.  It only alerts when the 
directory traversals go past the web server root directory, which
is associated with certain web attacks.

* tab_uri_delimiter *
Both Apache and newer versions of IIS accept tabs as delimiters. However, 
this option is deprecated and has been replaced by, and is enabled by default
with, the whitespace_chars option.  For more details on its use, see the 
whitespace_chars section above. 

-- Profile Breakout --
There are three profiles that users can select.  Only the configuration 
that are listed under the profiles are turned on.  If there is no mention 
of alert on or off, then that means there is no alert associated with the 
configuration.

* Apache *

flow_depth 300
non_strict URL parsing is set
chunk encoding (alert on chunks larger than 500000 bytes)
ascii decoding is on (alert off)
multiple slash (alert off)
directory normalization (alert off)
webroot (alert on)
apache whitespace (alert off)
utf_8 encoding (alert off)

* IIS *

flow_depth 300
non_strict URL parsing is set
chunk encoding (alert on chunks larger than 500000 bytes)
iis_unicode_map is set to the codepoint map in the global configuration
ascii decoding (alert off)
multiple slash (alert off)
directory normalization (alert off)
webroot (alert on)
%u decoding (alert on)
bare byte decoding (alert on)
iis unicode codepoints (alert on)
iis backslash (alert off)
iis delimiter (alert off)
apache whitespace (alert off)

* IIS4 and IIS5_0 *

flow_depth 300
non_strict URL parsing is set
chunk encoding (alert on chunks larger than 500000 bytes)
iis_unicode_map is set to the codepoint map in the global configuration
ascii decoding (alert off)
multiple slash (alert off)
directory normalization (alert off)
webroot (alert on)
double decoding (alert on)
%u decoding (alert on)
bare byte decoding (alert on)
iis unicode codepoints (alert on)
iis backslash (alert off)
iis delimiter (alert off)
apache whitespace (alert off)

* All * 

flow_depth 300
non_strict URL parsing is set
chunk encoding (alert on chunks larger than 500000 bytes)
iis_unicode_map is set to the codepoint map in the global configuration
ascii decoding is on (alert off)
multiple slash (alert off)
directory normalization (alert off)
apache whitespace (alert off)
double decoding (alert on)
%u decoding (alert on)
bare byte decoding (alert on)
iis unicode codepoints (alert on)
iis backslash (alert off)
iis delimiter (alert off)
webroot (alert on)

The following lists the defaults:

Port 80
flow_depth 300
non_strict URL parsing is set
chunk encoding (alert on chunks larger than 500000 bytes)
ascii decoding is on (alert off)
utf_8 encoding (alert off)
multiple slash (alert off)
directory normalization (alert off)
webroot (alert on)
apache whitespace (alert off)
iis delimiter (alert off)

-- Writing uricontent rules --
The uricontent parameter in the snort rule language searches the NORMALIZED
request URI field.  This means that if you are writing rules that include
things that are normalized, such as %2f or directory traversals, these
rules will not alert.  The reason is that the things you are looking for
are normalized out of the URI buffer.  For example, the URI:

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver

will get normalized into:

/winnt/system32/cmd.exe?/c+ver

Another example,

/cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%252fp%68f?

into:

/cgi-bin/phf?

So when you are writing a uricontent rule, you should write the content that
you want to find in the context that the URI will be normalized.  Don't include
directory traversals (if you normalize directories) and don't look for encode
characters.  You can accomplish this type of detection by using the 'content'
rule parameter, since this rule inspects the unnormalized buffer.

-- Conclusion --
So you got to the end?  Good for you.  I'm sure you know more about HTTP
encodings and evasions then you ever wanted to.  My suggestions are to stick
with the "profile" options, since they are much easier to read and have been
researched.

If you feel like giving us profiles for other web servers, please do.
We'll incorporate them into the default server profiles for HttpInspect.