[Snort-sigs] anyone have a snort sig for the apache-chunk exploit?

Andreas Östling andreaso at ...58...
Thu Jun 20 02:21:05 EDT 2002


A few sigs that may be useful...


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg: "Apache chunked encoding exploit, AAAAA padding"; flags: A+; \
content: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg: "Apache chunked encoding exploit, h/sh.h/bin (i.e. /bin/sh) attempt "; \ 
flags: A+; content: "|68 2f 73 68 00 68 2f 62 69 6e|";)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg: "Apache chunked encoding exploit, /bin/sh attempt "; flags: A+; \
content: "/bin/sh";)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg: "Apache chunked encoding exploit, uname -a"; flags: A+; \
content: "uname -a";)


Look for signs of a successful exploit:


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any \
(msg: "id check returned www"; flags: A+; \
content: "uid="; content: "(www)";)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any \
(msg: "id check returned nobody"; flags: A+; \
content: "uid="; content: "(nobody)";)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any \
(msg: "id check returned web"; flags: A+; \
content: "uid="; content: "(web)";)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any \
(msg: "id check returned http"; flags: A+; \
content: "uid="; content: "(http)";)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any \
(msg: "id check returned apache"; flags: A+; \
content: "uid="; content: "(apache)";)


etc...

/Andreas





More information about the Snort-sigs mailing list