[Snort-sigs] Question about sid: 1002

Paul Schmehl pauls at ...1311...
Thu Apr 3 12:58:31 EST 2003

On Thu, 2003-04-03 at 13:05, Daniel J. Roelker wrote:
> Since "cmd.exe" is a content option, that means that it is matching
> against an unnormalized URI.  Which means you can do things like:
> /winnt/system32/cmd.exe/././././?/c+dir+/B+c:\\
> /winnt/system32/cmd.exe///////./?/c+ver
> So we wouldn't match those attacks, if you were looking for "cmd.exe?".
> I'm sure there is a better way to reduce false positives though.  Maybe
> by looking for a '?' after the cmd.exe search, but no space/tab before
> the '?', which would indicate the end of the URI.
OK.  So something like content: "cmd.exe"; nocase; depth: 0; content:
![20]; depth: 0; content: ![09]; depth: 0; content: "?"; might work
better?  (I'm still trying to understand the intricacies of rule
writing, so I'm sure this isn't anywhere near perfect.)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list