[Snort-sigs] Question about sid: 1002

Paul Schmehl pauls at ...1311...
Thu Apr 3 12:58:31 EST 2003


On Thu, 2003-04-03 at 13:05, Daniel J. Roelker wrote:
> Since "cmd.exe" is a content option, that means that it is matching
> against an unnormalized URI.  Which means you can do things like:
> 
> /winnt/system32/cmd.exe/././././?/c+dir+/B+c:\\
> /winnt/system32/cmd.exe///////./?/c+ver
> 
> So we wouldn't match those attacks, if you were looking for "cmd.exe?".
> 
> I'm sure there is a better way to reduce false positives though.  Maybe
> by looking for a '?' after the cmd.exe search, but no space/tab before
> the '?', which would indicate the end of the URI.
> 
OK.  So something like content: "cmd.exe"; nocase; depth: 0; content:
![20]; depth: 0; content: ![09]; depth: 0; content: "?"; might work
better?  (I'm still trying to understand the intricacies of rule
writing, so I'm sure this isn't anywhere near perfect.)

-- 
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member





More information about the Snort-sigs mailing list