[Snort-sigs] New Rules

zeno zeno at ...354...
Fri Feb 8 11:25:05 EST 2002


Hello,

I have some more rules you may be interested in for use with snort.
Please ignore my catagories and id numbers its something rough I used
just to make it work. Besides you know how to catagorize it you wrote the darn thing!

#See guninski's advisory rule1
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Attemped IMG-Javascript Cross Site Server Scripting Attack";
 flags:A+; uricontent:"img%20src=javascript"; nocase; classtype:Attempted-Cross-Site-Scripting; sid:190005; rev:2;
)

(often times cross site scripting is tested using this method. Its is VERY common)

# rule 2
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"%20* Request: Possible Command execution Attempt"; flags:A+;
 uricontent:"%20*"; nocase; classtype:Attempted-Directory-listing; sid:190006; rev:2;)
Example ls -al *
ls%20-al%20* via cgi attack

#rule 3
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"` Request: Possible Command execution Attempt"; flags:A+; ur
icontent:"`"; nocase; classtype:Attempted-Directory-listing; sid:190006; rev:2;)
backtick command execution attempt. like `id`

#rule 4
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:" %20& Attempted Proccess Backgound";flags: A+; uricontent:"%
20&"; nocase; classtype:attempted-recon; sid:190008; rev:2;)
./oday host &

#rule 5
This one is always good to have.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Misc .log Logfile Access ";flags: A+; uricontent:".log"; noc
ase; classtype:attempted-recon; sid:190009; rev:2;)

#rule 6
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:" %u IIS Encoding Detected: Possible encoded attack";flags: A
+; uricontent:"%u"; nocase; classtype:attempted-recon; sid:190011; rev:2;)

The %u encoding ids bypass mentioned my eeye.com

#rule 7
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WINNT\system32\LogFiles\ Attempted IIS Logfile Access ";flag
s: A+; uricontent:"WINNT\system32\LogFiles"; nocase; classtype:attempted-recon; sid:190012; rev:2;)
Windows logfiles that may be deleted via worm or attacker.

#rule 8
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"User-Agent Possible javascript Insertion Attempt"; flags:A+;
 uricontent:"User-Agent: javascript"; nocase; classtype:Attempted-Directory-listing; sid:190006; rev:2;)
<read my paper on web statistical software and header manipulation)
http://www.cgisecurity.com/papers/header-based-exploitation.txt

#rule 9
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Referer Possible Javascript Insertion Attempt"; flags:A+; ur
icontent:"Referer: javascript"; nocase; classtype:Attempted-Directory-listing; sid:190006; rev:2;)

Also snort isn't reading these signatures properly. Do I have the wrong syntax?
Ether way I'll provide the bare bones signature for you anyways.

All these are based off of my other paper
http://www.cgisecurity.com/papers/header-based-exploitation.txt

#Rule 10
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Referer Based SSI Insertion Attempt"; flags:A+; uricontent:"
Referer: <!--#"; nocase; classtype:Attempted-Directory-listing; sid:190006; rev:2;)

#rule 11
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"User-Agent Based SSI Insertion Attempt"; flags:A+; uriconten
t:"<!--#"; nocase; classtype:Attempted-Directory-listing; sid:190006; rev:2;)

Care rule is

#rule 10
Referer: <!--

(example <!--#exec cmd="/bin/id"-->
Should pick up all attempts at ssi insertion. useful for cross site scripting type problems.

#rule 11
User-Agent: <!--
(example <!--#exec cmd="/bin/id"--> or <!--virtual INCLUDE="/file"-->
Should pick up all attempts at ssi insertion. useful for cross site scripting type problems.


If you have any questions email me.


- admin at ...355... aka zenomorph





More information about the Snort-sigs mailing list