[Snort-sigs] Rules pondering

Chris Green cmg at ...26...
Mon Nov 12 11:00:02 EST 2001


Here's some rules I've gone over. Some of them I know what the traffic
they match but not what app on the other end. Others seem to have
slight mistakes

sid: 1063
---
"csh.exe" C shell for Windows? 


sid: 1082
---
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=discussion&id=1194

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  \
      (msg:"WEB-MISC amazon 1-click cookie theft"; \
      flags: A+; content:"ref%3Cscript%20language%3D%22Javascript" \
      ; nocase; classtype:web-application-attack; sid:1082; rev:4; \
      reference:bugtraq,1194; reference:cve,CVE-2000-0439;)

Is this to catch people posting javascript to your webservers?

I'm having troubles finding when the following string would be sent:
   ref<script language="Javascript

perhaps href="...." was the goal?


sid: 573:
---

Fujitsu Chocoa "Topic" Buffer Overflow Vulnerability is what secfocus
calls it.  Since it's only against an obscure irc client, it should be
EXTERNAL_NET 6666:6669 or something like that and the msg should be
more descriptive

 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT IRC client
 overflow";flags: A+; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8
 50 77|"; reference:cve,CVE-1999-0672; reference:bugtraq,573;
 classtype:attempted-user; sid:307; rev:1;)


sid: 572:
---

Its an attack against FTP servers

Should only be against $HOME_NET 21 

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT NextFTP
client overflow";flags: A+; content:"|b420 b421 8bcc 83e9 048b 1933
c966 b910|"; reference:bugtraq,572; reference:cve,CVE-1999-0671;
classtype:attempted-user; sid:308; rev:2;)

sid: 882:
---
What type of specific recon is this supposed to get? 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-CGI calendar access";
flags: A+; uricontent:"/calendar"; nocase;
classtype:attempted-recon; sid:882; rev:1;)

sid: 1003:
---
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"WEB-IIS cmd? acess";flags: A+; content:".cmd?&"; \
  nocase; classtype:web-application-attack; sid:1003; rev:2;)

does cmd? work against an IIS machine or do you have to specify the
exetension as well?  I don't have an IIS to test againt

sid: 1002:
---
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
       (msg:"WEB-IIS cmd.exe  access"; \
        flags: A+; content:"cmd.exe"; nocase; \
        classtype:web-application-attack; sid:1002; rev:2;)

change to "cmd.exe?" for true accesses?

sid: 611
---

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RSERVICES rsh login
failure";flags: A+; content: "|01|rlogind|3a| Permission
denied.";reference:arachnids,392; classtype:unsuccessful-user;
sid:611; rev:1;


rservices.rules
---

Shouldn't the $HOME_NET any be $HOME_NET 513

rservices.rules seems to have 514 everywhere the comment is "rlogin"
and 513 everywhere the comment is "rsh". In IANA, login is 513, shell is 514

-- 
Chris Green <cmg at ...26...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-sigs mailing list