[Snort-sigs] Question about sid: 1002

Daniel J. Roelker droelker at ...435...
Thu Apr 3 11:22:32 EST 2003


Since "cmd.exe" is a content option, that means that it is matching
against an unnormalized URI.  Which means you can do things like:

/winnt/system32/cmd.exe/././././?/c+dir+/B+c:\\
/winnt/system32/cmd.exe///////./?/c+ver

So we wouldn't match those attacks, if you were looking for "cmd.exe?".

I'm sure there is a better way to reduce false positives though.  Maybe
by looking for a '?' after the cmd.exe search, but no space/tab before
the '?', which would indicate the end of the URI.

Daniel Roelker
droelker at ...435...

On Thu, 2003-04-03 at 12:29, Paul Schmehl wrote:
> On Thu, 2003-04-03 at 09:05, Brian wrote:
> > 
> > Because you would not pick up the scanners that just look for cmd.exe
> > 
> OK, but in order to actually exploit the vulnerability, don't you have
> to use the question mark format?
> 
> (The problem I'm seeing is FPs every time someone runs WindowsUpdate,
> which is quite frequent on our campus.  It obscures the boxes that are
> actually infected with CodeRed.)
> 
> -- 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/~pauls/
> AVIEN Founding Member
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list