[Snort-sigs] Any reason for "nocase;" in web-attacks.rules?

Robert Wagner rwagner at ...447...
Fri Apr 19 07:32:12 EDT 2002

In theory, unix commands are all lower case.  I guess the nocase catches the
stupid attacker that doesn't know this.  Another area where it would also
catch someone is if they realize that you are only monitoring lower case
attacks so maybe they try and fool you by attacking a Perl script with ->
lc("/BIN/PS") command or such thus converting an upper case command to lower

I think I would want to know both cases - Maybe it is a lack of total trust
with the webmaster.  Just me 2 cents.  Anyone else's ideas?

-----Original Message-----
From: Crow, Owen [mailto:Owen_Crow at ...449...]
Sent: Friday, April 19, 2002 8:24 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Any reason for "nocase;" in web-attacks.rules?

Almost all of the rules in the file appear to be targeted at Unix systems,
but every rule has "nocase;".  For example:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS ps command
attempt"; flags:A+; uricontent:"/bin/ps"; nocase;
classtype:web-application-attack; sid:1328; rev:2;)

The only situation where nocase would help would be a Win32 target with
Cygwin installed.  So removing nocase should speed up the comparisons and
eliminate false positives, right?

Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list