[Snort-devel] Signature Quality Rules

Brian Caswell bmc at ...227...
Wed Feb 21 14:30:03 EST 2001


Well... I have been doing quite a bit of work validating the snort rules
in the current database, and I have a broad decision question for yall.

Most of our WEB-CGI rules just list the program, such as
"/cgi-bin/count.cgi" and do not include a signature for the actual
attempt.

I prepose that we move all of these "program names" into one rule.

alert tcp $EXTERNAL any -> $HOME_NET 80 (msg:"WEB-CGI access";
content-list:"cgi-dir"; content-list:"flawed-cgi"; nocase; flags:A+;)

In the file "flawed-cgi" we include a list of every flawed CGI that we
know of.In order to correctly log all of the rules, I propose a
modification to content-list, so that it changes msg to include what it
saw.  so that if content-list saw "/cgi-bin/" and "count.cgi" then it
would change msg to be "WEB-CGI access /cgi-bin/count.cgi".  This
shouldn't be a difficult modification, and it would help the
administrator keep their rulebase up-to-date.

Also, I am in the process of building exploit rules for the CGI
vulnerabilities.  If we had rule ordering correct, we put the ATTEMPT
rules in front of the ACCESS rules.  This would be better from the
analysists point of view, as well as the rules bastard point of view.   

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-devel mailing list