[Snort-devel] snort does not detect good rules

Paul Tinsley jackhammer at ...2499...
Tue Apr 27 00:10:04 EDT 2004


I don't have metasploit setup so I took your snippet and wrapped it up
in a script.  Here is the snort dump of that code:

53 45 41 52 43 48 20 2F 62 6C 61 68 62 6C 61 68  SEARCH /blahblah
62 6C 61 68 20 48 54 54 50 2F 31 2E 31 0D 0A 48  blah HTTP/1.1..H
6F 73 74 3A 20 77 65 62 73 69 74 65 2E 63 6F 6D  ost: website.com
3A 38 30 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70  :80..Content-Typ
65 3A 20 74 65 78 74 2F 78 6D 6C 0D 0A 43 6F 6E  e: text/xml..Con
74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 33 35  tent-Length: 135
0D 0A 0D 0A 3C 3F 78 6D 6C 20 76 65 72 73 69 6F  ....<?xml versio
6E 3D 22 31 2E 30 22 3F 3E 0D 0A 3C 67 3A 73 65  n="1.0"?>..<g:se
61 72 63 68 72 65 71 75 65 73 74 20 78 6D 6C 6E  archrequest xmln
73 3A 67 3D 22 44 41 56 3A 22 3E 0D 0A 3C 67 3A  s:g="DAV:">..<g:
73 71 6C 3E 0D 0A 53 65 6C 65 63 74 20 22 44 41  sql>..Select "DA
56 3A 64 69 73 70 6C 61 79 6E 61 6D 65 22 20 66  V:displayname" f
72 6F 6D 20 73 63 6F 70 65 28 29 0D 0A 3C 2F 67  rom scope()..</g
3A 73 71 6C 3E 0D 0A 3C 2F 67 3A 73 65 61 72 63  :sql>..</g:searc
68 72 65 71 75 65 73 74 3E 0D 0A                 hrequest>..

If you look at that snort rule, it seems as if that was written for a
different attack vector and unfortunately won't work for any
variations in shellcode that might come across :(  Due to the
Content-Length check that is done.  So that rule should probably be
updated, but what really needs to happen is a 2nd rule needs to be
written that can address this attack vector.  Here is the perl snippet
needed to reproduce the stream for those interested in working on a
rule.  Just pass it a website and port ex: perl webdav_trigger.pl
website.com 80:

use strict;
use warnings;

use IO::Socket::INET;

my $target_host = shift;
my $target_port = shift;

my $socket = IO::Socket::INET->new(PeerAddr => $target_host,
                                   PeerPort => $target_port,
                                   Proto    => 'tcp') or die "Connect
Failed: $@";


my ($request, $content, $url);

#bogus url
$url = "blahblahblah";

#setup content
$content .= "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n";
$content .= "<g:sql>\r\nSelect \"DAV:displayname\" from
scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";

#setup request
$request = "SEARCH /" . $url ." HTTP/1.1\r\n";
$request .= "Host: " . $target_host . ":" . $target_port . "\r\n";
$request .= "Content-Type: text/xml\r\n";
$request .= "Content-Length: " . length($content) . "\r\n";
$request .= "\r\n$content";

#send it to the host
$socket->send($request);

close $socket;

----- Original Message -----
From: jvarlet at ...2497... <jvarlet at ...2497...>
Date: 26 Apr 2004 13:48:44 UT
Subject: [Snort-devel] snort does not detect good rules
To: snort-devel at lists.sourceforge.net







Hello,

 
 

I'm testing snort. So, I have installed a 2000 server without any
patches.
I use Metasploit with WebDAV Overflow (snort rule : 2091).

 
But Snort does not detect it. It only says that :

 
I would like Snort to detect the attack :

Exploit perl code :



$request = "SEARCH /" . $url ." HTTP/1.1\r\n";


$request .= "Host: " . $target_host . ":" . $target_port . "\r\n";


$request .= "Content-Type: text/xml\r\n";


$content .= "<?xml version=\"1.0\"?>\r\n<g:searchrequest
xmlns:g=\"DAV:\">\r\n";


$content .= "<g:sql>\r\nSelect \"DAV:displayname\" from
scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";


$request .= "Content-Length: " . length($content) . "\r\n";


$request .= "\r\n$content";

 


Snort rule detected : 1070 WEB-MISC WebDAV search access 
 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
WebDAV search access"; flow:to_server,established; content: "SEARCH "; depth: 8;
nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070;
rev:6;) 
 

 
 

Snort rule that i want to detect: 2091 WEB-IIS WEBDAV exploit attempt

 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
WEBDAV exploit attempt"; flow:to_server,established;
content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|"; content:"Accept|3a|
|2a|/|2a0a|Translate|3a| f|0a|Content-length|3a|5276|0a0a|"; distance:1;
reference:cve,CAN-2003-0109; reference:bugtraq,7716;
reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx;
classtype:attempted-admin; sid:2090; rev:4;) 
 

 
How can i do ??

 
Thanks a lot.




More information about the Snort-devel mailing list