[Snort-sigs] sid:1002 - cmd.exe

shanew at ...94... shanew at ...94...
Fri Sep 7 11:15:06 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----

Is the WEB-IIS rule for cmd.exe (sid 1002) intended to detect anybody
trying to call cmd.exe through some URL manipulation like this:

5018 4410 c227 0000 4745 5420 2f73 6372  |  P.D..'..GET /scr
6970 7473 2f2e 2e25 6330 2561 662e 2e2f  |  ipts/..%c0%af../
7769 6e6e 742f 7379 7374 656d 3332 2f63  |  winnt/system32/c
6d64 2e65 7865 3f2f 632b 6469 722b 633a  |  md.exe?/c+dir+c:
5c20 4854 5450 2f31 2e31 0d0a 4163 6365  |  \ HTTP/1.1..Acce

and this:

5018 2238 a8bf 0000 4745 5420 2f6d 7361  |  P."8....GET /msa
6463 2f2e 2e25 6530 2538 3025 6166 2e2e  |  dc/..%e0%80%af..
2f2e 2e25 6530 2538 3025 6166 2e2e 2f2e  |  /..%e0%80%af../.
2e25 6530 2538 3025 6166 2e2e 2f77 696e  |  .%e0%80%af../win
6e74 2f73 7973 7465 6d33 322f 636d 642e  |  nt/system32/cmd.
6578 653f 2f63 2b64 6972 2b2e 2e5c 2048  |  exe?/c+dir+..\ H

I ask because I was getting false positives from Code Red 2.  The rule
looks for cmd.exe regardless of case and somewhere in the middle of
the Code Red 2 mess is the string "\CMD.EXE"

I change the rule to look for cmd.exe? regardless of case (maybe
/cmd.exe? would be better), and Code Red no longer sets it off, but
I'm not sure if I've changed the intent of the rule or not.

- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBO5kOcGa83yV7vGjZAQF4mgP+KFOB2EpKds7DqK9bMTgkBwuZVWY4JA1R
tc0zKZBvpyxKAnCTx4Z46xGvcrfYy3JeLKH7U1i0Y/CtN4qC1tasFz11hkNchV5t
V9Wtd+PFOB4hkDSywfrdRTdOhL6E/psufl6LYQ7rVhoNVOJHKyWj7YLrbFD3NKAg
KiDjjqdHX7g=
=juGN
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list