[Snort-sigs] Question about sid: 1002

Jacob Hurley jacobh at ...1425...
Thu Apr 3 18:14:46 EST 2003


While my question isn't quite the same, it relates to this rule too.  We
were wanting to possibly 'weed out' the scanners and whatnot that just
could simply use cmd.exe to do directory listings (since there is a
snort rule that will tell you about a successful dir listing) but we
wanted to be alerted to any url that contained cmd.exe, but didn't
contain 'dir' in it anywhere.  We were thinking of coming up with some
type of pass rule or something (I am fairly new to the signature game
myself) for it.  Any ideas, concerns, or comments on doing something
like this ?


Jacob Hurley


-----Original Message-----
From: Daniel J. Roelker [mailto:droelker at ...435...] 
Sent: Thursday, April 03, 2003 1:06 PM
To: Paul Schmehl
Cc: Brian; Snort Sigs
Subject: Re: [Snort-sigs] Question about sid: 1002

Since "cmd.exe" is a content option, that means that it is matching
against an unnormalized URI.  Which means you can do things like:

/winnt/system32/cmd.exe/././././?/c+dir+/B+c:\\
/winnt/system32/cmd.exe///////./?/c+ver

So we wouldn't match those attacks, if you were looking for "cmd.exe?".

I'm sure there is a better way to reduce false positives though.  Maybe
by looking for a '?' after the cmd.exe search, but no space/tab before
the '?', which would indicate the end of the URI.

Daniel Roelker
droelker at ...435...

On Thu, 2003-04-03 at 12:29, Paul Schmehl wrote:
> On Thu, 2003-04-03 at 09:05, Brian wrote:
> > 
> > Because you would not pick up the scanners that just look for
cmd.exe
> > 
> OK, but in order to actually exploit the vulnerability, don't you have
> to use the question mark format?
> 
> (The problem I'm seeing is FPs every time someone runs WindowsUpdate,
> which is quite frequent on our campus.  It obscures the boxes that are
> actually infected with CodeRed.)
> 
> -- 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/~pauls/
> AVIEN Founding Member
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list