[Snort-sigs] SID 494

Anton Chuvakin anton at ...1177...
Mon Jan 13 14:46:04 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES command completed"; content:"Command completed"; nocase;
flow:from_server,established; classtype:bad-unknown; sid:494; rev:5;)

--
Sid: 494

-- 
Summary: An post-compromise behavior indicating the use of Windows command shell.

-- 

Impact: attacker might have gained an ability to execute commands remotely

--
Detailed Information:

The signature is aimed at catching the standard Windows command
response "The command completed successfully". For example, it is
generated in Windows 2000/XP after the "net" command (such as "net
use") is used. The net commands are used for a wide variety of system
tasks of interest to attackers and can be started from the windows
shell (cmd.exe, command.com). Seeing such a response in the HTTP
traffic indicates that somebody have managed to "convince" the web
server to spawn a shell and have successfully executed at least one
command. Note that the source address of this signature is actually
the victim and not the attacker as for the exploit signatures.

--

Attack Scenarios: an attacker gains an access to a Windows web server
via IIS vulnerability and manages to start a cmd.exe shell. He then
proceeds to map the DMZ network via "net use" commands. The latter
activity is detected by this signature.

-- 

Ease of Attack: this post-attack behavior can accompany different
attacks.

-- 

False Positives: the signature will trigger if the string "Command
completed" appears in the content distributed by the web server, in
which case the signature should be tuned.

--
False Negatives: not known

-- 

Corrective Action: investigate the web server for signs of compromise,
run the integrity checking software, look for other IDS alerts
involving the same IP addresses.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp





More information about the Snort-sigs mailing list