[Snort-sigs] SID 494
anton at ...1177...
Mon Jan 13 14:46:04 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES command completed"; content:"Command completed"; nocase;
flow:from_server,established; classtype:bad-unknown; sid:494; rev:5;)
Summary: An post-compromise behavior indicating the use of Windows command shell.
Impact: attacker might have gained an ability to execute commands remotely
The signature is aimed at catching the standard Windows command
response "The command completed successfully". For example, it is
generated in Windows 2000/XP after the "net" command (such as "net
use") is used. The net commands are used for a wide variety of system
tasks of interest to attackers and can be started from the windows
shell (cmd.exe, command.com). Seeing such a response in the HTTP
traffic indicates that somebody have managed to "convince" the web
server to spawn a shell and have successfully executed at least one
command. Note that the source address of this signature is actually
the victim and not the attacker as for the exploit signatures.
Attack Scenarios: an attacker gains an access to a Windows web server
via IIS vulnerability and manages to start a cmd.exe shell. He then
proceeds to map the DMZ network via "net use" commands. The latter
activity is detected by this signature.
Ease of Attack: this post-attack behavior can accompany different
False Positives: the signature will trigger if the string "Command
completed" appears in the content distributed by the web server, in
which case the signature should be tuned.
False Negatives: not known
Corrective Action: investigate the web server for signs of compromise,
run the integrity checking software, look for other IDS alerts
involving the same IP addresses.
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs