[Snort-sigs] UPnP Rules
Andrew Rucker Jones
arjones at ...1200...
Tue Jan 21 22:02:13 EST 2003
First of all, please include a direct reply to me, as i am not
subscribed to the list.
I was looking at the UPnP rules in the most recent Snort rulesets
for 1.9.0 (the stable ones), and they seem to me to be out of order. The
headers on SIDs 1384 and 1388 are identical, so they will be applied in
the order listed, which is to say "NOTIFY * " will be detected before a
"Location" overflow. I would think it very possible that the buffer
overflow attack would include "NOTIFY * ", thus triggering the
"malformed advertisement" rule and skipping the "Location overflow"
rule. In my opinion, the overflow rule is more important and less likely
to trigger than the "NOTIFY * " rule. Can anyone set me straight on
this, or should the two be swapped?
Also, after reviewing the now long-expired Internet Draft on SSDP,
it seems that "NOTIFY * " is perfectly legal, and in fact expected
behaviour. It is used for service advertisements. Shouldn't the message
text for SID 1384 be something different, like "UPNP advertisement"? The
word "malformed" bothers me.
All submitted for Your approval and awaiting any responses,
positive or negative.
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.
More information about the Snort-sigs