[Snort-sigs] ATTACK RESPONSES id check returned <blah> sigs

Jon warchild at ...288...
Sun Jan 26 19:58:01 EST 2003


I've been getting a lot of false positives on sids 1882 - 1886.

The problem seems to be that these particular sigs look for "uid=" and a
particular string that could represent a successful attack.  Unlike sid
498, these sids can't cram their content into a single field because the
uid number is not standardized.  For example, on one system, the uid number
of 'nobody' could be 345, whereas it could be 654321 on another.  

The problem is that the chances that the string "uid=" and any of {"(www)",
"(nobody)", "(web)", "(http)", "(apache)"} are pretty good, though
restricting these rules with $HTTP_SERVERS and $HTTP_PORTS as the source
does cut things down considerably.

I immediately thought a regex would be good here, but the docs say regexs
aren't production ready.  Something like content:"uid=\d+(nobody)" would be
perfect...  Would it possible to get something similar with depth and/or
within?

I'm not too familiar with the 'within' field, but it looks like it just
requires a second content be found within a certain distance from the first
content.  In my testing, 'content:"uid="; content="(jon)"; within: 25;'
seems to be pretty good.

If we could narrow down the distance between the uid= and the (<id>) part,
I think we could cut down on the false positives a bit more.  Of course,
how far should we go?  I'd try within 5 so it'd support uid numbers of
length 5, but that wouldn't be fair to OSs that support more users than
that.  within 10 would allow up to 10^10 users and would probably cut down
on false positives by quite a bit.

I'm curious if people have thoughts for or against these changes...

The updated sigs would be something like the ones below:

-jon 

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES id check returned www"; flow:from_server,established;
content:"uid="; content:"(www)"; within:10; classtype:bad-unknown; 
sid:1882; rev:3;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES id check returned nobody"; flow:from_server,established;
content:"uid="; content:"(nobody)"; within:10; classtype:bad-unknown;
sid:1883; rev:3);

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES id check returned web"; flow:from_server,established;
content:"uid="; content:"(web)"; within:10; classtype:bad-unknown; 
sid:1884; rev:3;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES id check returned http"; flow:from_server,established;
content:"uid="; content:"(http)"; within:10; classtype:bad-unknown;
sid:1885; rev:3;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES id check returned apache"; flow:from_server,established;
content:"uid="; content:"(apache)"; within:10;  classtype:bad-unknown;
sid:1886; rev:3;)





More information about the Snort-sigs mailing list