[Snort-sigs] ATTACK RESPONSES id check returned <blah> sigs

Jason security at ...704...
Sun Jan 26 21:15:01 EST 2003


Jon,

within will do just what you are looking for.

You could also do a generic rule that should false minimally by
anchoring each content behind the last with the distance modifier.

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSE id check detected"; flow:from_server,established;
content:"uid="; nocase; content:"("; distance:0; within:5; content:")";
distance:0; within:10; classtype:bad-unknown; sid:1000000; rev:1;)

I don't know of any id checks that need to be nocase but that doesn't
mean they are not there so I added it.

I also think that with the limitations of $HTTP_SERVERS and $HTTP_PORTS
and flow:from_server it is pretty safe to open up the destination to any
to cover internal threats as well.

I thought about adding a depth check to the first content match but that
would eliminate an id check following some other output like an ls or
cat /some/file or something so I left it out. For performance reasons I
think depth:512 might be prudent but your tastes may be different.

I would be interested to hear if this falses at all. It seems pretty
unlikely to me except for a web page on your site that has this content
on it. In that case you own the web server and can pass for that
specific page.

-Jason

[snip]
> 
>>
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>> RESPONSES id check returned www"; flow:from_server,established;
>> content:"uid="; content:"(www)"; within:10; classtype:bad-unknown; 
>> sid:1882; rev:3;)
>>
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>> RESPONSES id check returned nobody"; flow:from_server,established;
>> content:"uid="; content:"(nobody)"; within:10; classtype:bad-unknown;
>> sid:1883; rev:3);
>>
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>> RESPONSES id check returned web"; flow:from_server,established;
>> content:"uid="; content:"(web)"; within:10; classtype:bad-unknown; 
>> sid:1884; rev:3;)
>>
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>> RESPONSES id check returned http"; flow:from_server,established;
>> content:"uid="; content:"(http)"; within:10; classtype:bad-unknown;
>> sid:1885; rev:3;)
>>
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>> RESPONSES id check returned apache"; flow:from_server,established;
>> content:"uid="; content:"(apache)"; within:10;  classtype:bad-unknown;
>> sid:1886; rev:3;)
>>
>>
>>
>> -------------------------------------------------------
>> This SF.NET email is sponsored by:
>> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>> http://www.vasoftware.com
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 





More information about the Snort-sigs mailing list