[Snort-sigs] WEB-ATTACKS rules

Blake Frantz blake at ...363...
Mon Jun 10 09:03:01 EDT 2002


The WEB-ATTACKS rule set has a number of rules that check for "<some
command> command attempt" using 'content'.  According the .rules header:

"These signatures are generic signatures that will catch common commands
used to exploit form variable vulnerabilities."

These rules can be fired by matching the contents of HTTP parameters
such as cookie, referrer, accept, host, user-agent, etc.  In an effort
to limit the amount of false positives, shouldn't these rules be using
'uricontent' instead?  I understand that it would be suspicious to find
/bin/ping (or the like) in any of these parameters, but could that
presence ever yield a 'command attempt' via a 'form variable
vulnerability'?  To the best of my knowledge the these 'command
attempts' would only be found in the actual GET/PUT/etc portion of the
request.  Then again, I could be wrong.

Thanks for any feedback.


More information about the Snort-sigs mailing list