[Snort-sigs] ATTACK RESPONSES id check returned <blah> sigs

Jason Brvenik jasonb at ...435...
Mon Jan 27 12:38:21 EST 2003


Jon,

within will do just what you are looking for.

You could also do a generic rule that should false minimally by 
anchoring each content behind the last with the distance modifier.

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK 
RESPONSE id check detected"; flow:from_server,established; 
content:"uid="; nocase; content:"("; distance:0; within:5; content:")";
distance:0; within:10; classtype:bad-unknown; sid:1000000; rev:1;)

I don't know of any id checks that need to be nocase but that doesn't 
mean they are not there so I added it.

I also think that with the limitations of $HTTP_SERVERS and $HTTP_PORTS 
and flow:from_server it is pretty safe to open up the destination to any 
to cover internal threats as well.

I thought about adding a depth check to the first content match but that 
would eliminate an id check following some other output like an ls or 
cat /some/file or something so I left it out. For performance reasons I 
think depth:512 might be prudent but your tastes may be different.

I would be interested to hear if this falses at all. It seems pretty 
unlikely to me except for a web page on your site that has this content 
on it. In that case you own the web server and can pass for that 
specific page.

-Jason

[snip]

> 
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES id check returned www"; flow:from_server,established;
> content:"uid="; content:"(www)"; within:10; classtype:bad-unknown; 
> sid:1882; rev:3;)
> 
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES id check returned nobody"; flow:from_server,established;
> content:"uid="; content:"(nobody)"; within:10; classtype:bad-unknown;
> sid:1883; rev:3);
> 
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES id check returned web"; flow:from_server,established;
> content:"uid="; content:"(web)"; within:10; classtype:bad-unknown; 
> sid:1884; rev:3;)
> 
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES id check returned http"; flow:from_server,established;
> content:"uid="; content:"(http)"; within:10; classtype:bad-unknown;
> sid:1885; rev:3;)
> 
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES id check returned apache"; flow:from_server,established;
> content:"uid="; content:"(apache)"; within:10;  classtype:bad-unknown;
> sid:1886; rev:3;)
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list