[Snort-devel] writing rules for web applications

Chris Green cmg at ...402...
Wed May 8 09:05:56 EDT 2002


I'm going to be adding support to futher decode web applications
futher down the application layer and after talking to rfp & HD Moore
and I'm trying to come up with a suitable way to do this from a rules
perspective.

uricontent: "/file.cgi"
             will *only* look for the cgi name before
             a ? in the string.

uriparam: "key", "pattern", <flavor>

key: is the CGI argument
pattern: the (optional?) pattern to check for
method:  decoding strategy to take:

         hex  -- only process %20 type stuff
         raw  -- only process the raw bytes
         unicode_all -- only process %c0cf and %u0000 junkets
         any -- normalize both, warn on double decodes


I want to think about this for a bit before it's fully implemented
because I ahve to do a lot of work to implement and then we have to do
a TON of work to convert signatures.


Example Rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-IIS ASP contents view";
flow:to_server; flags: A+;
uricontent:".htw?CiWebHitsFile";
reference:bugtraq,1864; classtype:web-application-attack;
sid:979; rev:4;)

would become

uricontent:".htw"
uriparam: "CiWebHitsFile"

and uriparam will always have to be after a uricontent
-- 
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx





More information about the Snort-devel mailing list