[Snort-sigs] Question about sid: 1002

Daniel J. Roelker droelker at ...435...
Fri Apr 4 06:24:53 EST 2003


I wouldn't put too much faith in the server response sig to catch
directory listings.  For example, run "dir /b" on your windows box. 
You're not going to catch that with any sig.  

It seems in your case that you just want to see more serious attacks
that use cmd.exe, like "tftp" and things like that.  You want to weed
out "dir" and "ver".  I think the only way you can do this with the
current rule language is to do content:"cmd.exe" and !content:"dir" and
!content:"ver".  Remember though, if I'm an attacker and I know you do
this with pass rules, I can easily evade your IDS by putting these
things in the exploit packet:

GET /scripts/..%c0%af../winnt/system32/cmd.exe/dir/ver?/c+tftp+[your fun
stuff here]

Try this, it works.

But the above rule example is about as good as you can get currently, if
you are willing to live with the possibility of evasion, even though it
is rather remote.

Dan

On Thu, 2003-04-03 at 21:10, Jacob Hurley wrote:
> 
> While my question isn't quite the same, it relates to this rule too.  We
> were wanting to possibly 'weed out' the scanners and whatnot that just
> could simply use cmd.exe to do directory listings (since there is a
> snort rule that will tell you about a successful dir listing) but we
> wanted to be alerted to any url that contained cmd.exe, but didn't
> contain 'dir' in it anywhere.  We were thinking of coming up with some
> type of pass rule or something (I am fairly new to the signature game
> myself) for it.  Any ideas, concerns, or comments on doing something
> like this ?
> 
> 
> Jacob Hurley
> 
> 
> -----Original Message-----
> From: Daniel J. Roelker [mailto:droelker at ...435...] 
> Sent: Thursday, April 03, 2003 1:06 PM
> To: Paul Schmehl
> Cc: Brian; Snort Sigs
> Subject: Re: [Snort-sigs] Question about sid: 1002
> 
> Since "cmd.exe" is a content option, that means that it is matching
> against an unnormalized URI.  Which means you can do things like:
> 
> /winnt/system32/cmd.exe/././././?/c+dir+/B+c:\\
> /winnt/system32/cmd.exe///////./?/c+ver
> 
> So we wouldn't match those attacks, if you were looking for "cmd.exe?".
> 
> I'm sure there is a better way to reduce false positives though.  Maybe
> by looking for a '?' after the cmd.exe search, but no space/tab before
> the '?', which would indicate the end of the URI.
> 
> Daniel Roelker
> droelker at ...435...
> 
> On Thu, 2003-04-03 at 12:29, Paul Schmehl wrote:
> > On Thu, 2003-04-03 at 09:05, Brian wrote:
> > > 
> > > Because you would not pick up the scanners that just look for
> cmd.exe
> > > 
> > OK, but in order to actually exploit the vulnerability, don't you have
> > to use the question mark format?
> > 
> > (The problem I'm seeing is FPs every time someone runs WindowsUpdate,
> > which is quite frequent on our campus.  It obscures the boxes that are
> > actually infected with CodeRed.)
> > 
> > -- 
> > Paul Schmehl (pauls at ...1311...)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > http://www.utdallas.edu/~pauls/
> > AVIEN Founding Member
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: ValueWeb: 
> > Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> > No other company gives more support or power for your dedicated server
> > http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list