[Snort-sigs] Rules pondering

Chris Green cmg at ...26...
Mon Nov 12 12:35:02 EST 2001

Brian <bmc at ...95...> writes:

>> sid: 1063
>> ---
>> "csh.exe" C shell for Windows? 
> Yes.  Part of the cygwin package for windows.  

Ok, just trying to make sure it was as relatively obscure as I thought
it was. Just looked at coworkers cygwin install and there is bash.exe
and tcsh.exe ( no csh.exe ).  There is one with UWIN from AT&T I
believe but again, all down the very obscure track.

>> sid: 572:
>> ---
>> Its an attack against FTP servers
> No, its an attack against an FTP CLIENT.  NextFTP is a popular 'warez d00dz' 
> client.

Ah thanks.  Should have read a bit more carefully.   Rapid and
assesment shouldn't be combined as much :>

>> sid: 1003:
>> ---
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
>> (msg:"WEB-IIS cmd? acess";flags: A+; content:".cmd?&"; \
>>   nocase; classtype:web-application-attack; sid:1003; rev:2;)
>> does cmd? work against an IIS machine or do you have to specify the
>> exetension as well?  I don't have an IIS to test againt
> Used to, don't know if it still does.

Ok.  Whats the ".cmd?" part this rule would miss

The sans .exe needs to be tested but prefixed with '.'' and an '?'
then a '&'.  I agree in trying to find stuff but I'm trying to figure
out what it's doing.

Perhaps this is for forms where you are somehow trying to get an extra
level of interpreation and your own set of arguments.  I have no doubt
there's an app broken this way, just trying to figure out what this is.

>> sid: 1002:
>> change to "cmd.exe?" for true accesses?
> Does HTTP POST pass its variables?  Again, I don't have access to an
> IIS box at the moment.  I'd also be hesitant to disable the signature
> as it could be included in a form variable of a broken web app.  HD
> Moore's presentation on making NT bleed documented a number of methods
> to break web apps.  This was one of them.

Ok. Fair enough to have the /bin/sh of NT rules. Perhaps have both
instead. .cmd.exe and cmd.exe?
Chris Green <cmg at ...26...>
A watched process never cores.

More information about the Snort-sigs mailing list