[Snort-sigs] Rules pondering

Brian bmc at ...95...
Mon Nov 12 11:40:07 EST 2001


According to Chris Green:
> Here's some rules I've gone over. Some of them I know what the traffic
> they match but not what app on the other end. Others seem to have
> slight mistakes
> 
> sid: 1063
> ---
> "csh.exe" C shell for Windows? 

Yes.  Part of the cygwin package for windows.  

> sid: 1082
> ---
> http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=discussion&id=1194
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  \
>       (msg:"WEB-MISC amazon 1-click cookie theft"; \
>       flags: A+; content:"ref%3Cscript%20language%3D%22Javascript" \
>       ; nocase; classtype:web-application-attack; sid:1082; rev:4; \
>       reference:bugtraq,1194; reference:cve,CVE-2000-0439;)
> 
> Is this to catch people posting javascript to your webservers?
> 
> I'm having troubles finding when the following string would be sent:
>    ref<script language="Javascript
> 
> perhaps href="...." was the goal?

Hrm.  Going to punt on that one for a bit.  


> sid: 573:
> ---
> 
> Fujitsu Chocoa "Topic" Buffer Overflow Vulnerability is what secfocus
> calls it.  Since it's only against an obscure irc client, it should be
> EXTERNAL_NET 6666:6669 or something like that and the msg should be
> more descriptive

Agreed.  Set it to 6666:7000 (since we can't do multiple ranges and
IRC servers do reside on 7000)  Also changed the MSG.


> sid: 572:
> ---
> 
> Its an attack against FTP servers
> 
> Should only be against $HOME_NET 21 

No, its an attack against an FTP CLIENT.  NextFTP is a popular 'warez d00dz' 
client.  FTP servers that sit on other ports could cause this one
issues.  However, as to avoid false possitives, I have changed the
port to be 21.

> sid: 882:
> ---
> What type of specific recon is this supposed to get? 
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
> (msg:"WEB-CGI calendar access";
> flags: A+; uricontent:"/calendar"; nocase;
> classtype:attempted-recon; sid:882; rev:1;)



> sid: 1003:
> ---
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
> (msg:"WEB-IIS cmd? acess";flags: A+; content:".cmd?&"; \
>   nocase; classtype:web-application-attack; sid:1003; rev:2;)
> 
> does cmd? work against an IIS machine or do you have to specify the
> exetension as well?  I don't have an IIS to test againt

Used to, don't know if it still does.


> sid: 1002:
> ---
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
>        (msg:"WEB-IIS cmd.exe  access"; \
>         flags: A+; content:"cmd.exe"; nocase; \
>         classtype:web-application-attack; sid:1002; rev:2;)
> 
> change to "cmd.exe?" for true accesses?

Does HTTP POST pass its variables?  Again, I don't have access to an
IIS box at the moment.  I'd also be hesitant to disable the signature
as it could be included in a form variable of a broken web app.  HD
Moore's presentation on making NT bleed documented a number of methods
to break web apps.  This was one of them.

> sid: 611
> ---
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RSERVICES rsh login
> failure";flags: A+; content: "|01|rlogind|3a| Permission
> denied.";reference:arachnids,392; classtype:unsuccessful-user;
> sid:611; rev:1;
> 
> 
> rservices.rules
> ---
> 
> Shouldn't the $HOME_NET any be $HOME_NET 513
> 
> rservices.rules seems to have 514 everywhere the comment is "rlogin"
> and 513 everywhere the comment is "rsh". In IANA, login is 513, shell is 514

yesyes.  thats also on my todo list.  

-- 
Did you know that "Gullible" is not in the dictionary?




More information about the Snort-sigs mailing list