[Snort-devel] Evade from Snort for Web-base Attacks

Martin Roesch roesch at ...402...
Sun Jan 6 20:39:07 EST 2002


That evades the uricontent rule, not the IDS.  IOW, using the default
rules you may be evaded for those particular HTTP/1.1 exploits. 
Solution?  Use "content" instead of "uricontent".

    -Marty

Sam Ng wrote:
> 
> Seems able to evade Snort by the following:
> 
> POST / HTTP/1.1
> Host: www.host.com
> Connection: keep-alive
> Content-length: 10
> [\n]
> 1234567890GET /cgi-bin/phf HTTP/1.1
> Host: www.host.com
> Connection: keep-alive
> [\n]
> 
> I have tested with Apache web server only, but "should" be able to work for
> any web servers if you find a "postable" path.
> 
> Sam Ng
> Doctor A Security Systems (HK) Limited
> 708 Millennium City
> 378 Kwuntong Road
> Kowloon
> HONG KONG
> Tel: +852 2342-4330
> Fax: +852 2342-4310
> email: sng at ...1047...
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list