[Snort-sigs] SID 495

Anton Chuvakin anton at ...1177...
Tue Jan 14 21:47:02 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES command error"; content:"Bad command or filename"; nocase;
flow:from_server,established; classtype:bad-unknown; sid:495; rev:5;)

--
Sid: 495

-- 

Summary: A post-compromise behavior indicating the use of Windows
command shell.

-- 

Impact: attacker might have gained an ability to execute commands remotely

--
Detailed Information:

The signature is aimed at catching the standard Windows unsuccessful
command response "Bad command or filename". For example, it is
generated in Windows OS after the executable file to be run from the
command line is not found. Seeing such a response in the HTTP traffic
indicates that somebody have managed to "convince" the web server to
spawn a shell bound to a web port and have tried to execute a
command. Note that the source address of this signature is actually
the victim and not the attacker as for the exploit signatures.

--

Attack Scenarios: an attacker gains an access to a Windows web server
via IIS vulnerability and starts a cmd.exe shell. He then try to run
other commands on the machine.

-- 

Ease of Attack: this post-attack behavior can accompany different
attacks.

-- 

False Positives: the signature will trigger if the string "Bad command
or filename" appears in the content distributed by the web server, in
which case the signature should be tuned.

--
False Negatives: not known

-- 

Corrective Action: investigate the web server for signs of compromise,
run the integrity checking software, look for other IDS alerts
involving the same IP addresses.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:





More information about the Snort-sigs mailing list