[Snort-sigs] Rules pondering

Chris Green cmg at ...26...
Mon Nov 12 11:00:02 EST 2001

Here's some rules I've gone over. Some of them I know what the traffic
they match but not what app on the other end. Others seem to have
slight mistakes

sid: 1063
"csh.exe" C shell for Windows? 

sid: 1082

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  \
      (msg:"WEB-MISC amazon 1-click cookie theft"; \
      flags: A+; content:"ref%3Cscript%20language%3D%22Javascript" \
      ; nocase; classtype:web-application-attack; sid:1082; rev:4; \
      reference:bugtraq,1194; reference:cve,CVE-2000-0439;)

Is this to catch people posting javascript to your webservers?

I'm having troubles finding when the following string would be sent:
   ref<script language="Javascript

perhaps href="...." was the goal?

sid: 573:

Fujitsu Chocoa "Topic" Buffer Overflow Vulnerability is what secfocus
calls it.  Since it's only against an obscure irc client, it should be
EXTERNAL_NET 6666:6669 or something like that and the msg should be
more descriptive

 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT IRC client
 overflow";flags: A+; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8
 50 77|"; reference:cve,CVE-1999-0672; reference:bugtraq,573;
 classtype:attempted-user; sid:307; rev:1;)

sid: 572:

Its an attack against FTP servers

Should only be against $HOME_NET 21 

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT NextFTP
client overflow";flags: A+; content:"|b420 b421 8bcc 83e9 048b 1933
c966 b910|"; reference:bugtraq,572; reference:cve,CVE-1999-0671;
classtype:attempted-user; sid:308; rev:2;)

sid: 882:
What type of specific recon is this supposed to get? 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-CGI calendar access";
flags: A+; uricontent:"/calendar"; nocase;
classtype:attempted-recon; sid:882; rev:1;)

sid: 1003:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"WEB-IIS cmd? acess";flags: A+; content:".cmd?&"; \
  nocase; classtype:web-application-attack; sid:1003; rev:2;)

does cmd? work against an IIS machine or do you have to specify the
exetension as well?  I don't have an IIS to test againt

sid: 1002:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
       (msg:"WEB-IIS cmd.exe  access"; \
        flags: A+; content:"cmd.exe"; nocase; \
        classtype:web-application-attack; sid:1002; rev:2;)

change to "cmd.exe?" for true accesses?

sid: 611

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RSERVICES rsh login
failure";flags: A+; content: "|01|rlogind|3a| Permission
denied.";reference:arachnids,392; classtype:unsuccessful-user;
sid:611; rev:1;


Shouldn't the $HOME_NET any be $HOME_NET 513

rservices.rules seems to have 514 everywhere the comment is "rlogin"
and 513 everywhere the comment is "rsh". In IANA, login is 513, shell is 514

Chris Green <cmg at ...26...>
You now have 14 minutes to reach minimum safe distance.

More information about the Snort-sigs mailing list