[Snort-sigs] Anti-IDS Rules patcher.

Glenn Larsson g.larsson at ...1246...
Fri Jan 31 16:14:05 EST 2003


Hi, i played with a few IDS evasion tricks
against Snort today; one scanner i found
(twwwscan) employ a few simple tricks in
the URI like:

"/./", "\\", "/"

So i wrote this:

http://www.geocities.com/Ichinin/zip/patcher.zip
...to fix these kinds of problems.

(visit the site if download won't work)

Basically it takes a ".rules" file and patches
it by breaking up and replacing "URIContent"
tags (even "Content" if you choose to do so)
and recomposes the data into several tags which
are less insensitive to evasion.

So, for example:

... Uricontent:"/bin/ps"; nocase; ...

become

... Uricontent:"bin"; nocase; Uricontent:"ps"; nocase; ...

if is also sensitive if it is a combo of "Uricontent"
and "Content" + also checks if the next statement is
"nocase;" and apply that as well.

As i said, i also included support for "Content"
tags since a few people cannot read, and use the
"Content:" statement when they should have used
"URIContent:"(!) - The more precise you are
the less processing power is required and the
probability of a dropped a packet is also
reduced.

*Hopefully* this program will not have to be
updated ever - and people will learn how to
write rules using the proper tags and do not
write so specificrules that can be so easily
evaded.

The code is... somewhat commented, but it's not
intended to be a programming tutorial.

Have a nice weekend.

Reards,
Glenn




More information about the Snort-sigs mailing list