[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

Matt Kettler mkettler at ...189...
Tue Oct 7 15:14:06 EDT 2003


At 04:59 PM 10/7/2003, Hugo van der Kooij wrote:
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established;
>content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989;
>reference:cve,CAN-2000-0153; reference:arachnids,248;
>classtype:web-application-attack; sid:966;  rev:5;)

<style rant>

What's with the all these rules which consist entirely of ASCII text  are 
written in hex format for no particularly good reason? What kind of drugs 
do you need to be on to think that "|2e 2e 2e 2e 2f|" is a better idea than 
"..../".

Perhaps it's just copy-paste laziness from hex packet dumps, but it's 
really quite silly and makes the intent of the rule significantly harder to 
read IMO.

I don't write my emails in |68 65 78| do I?

</style rant>


The actual bug here appears to be that someone failed to use uricontent 
instead of content where they should have. The original vulnerability only 
pertains to the frontpage personal webserver following URL's containing 
four dots as a form of directory traversal. Thus the string will only ever 
appear in a URI. The false positive you saw was clearly not part of a URI, 
and was part of general http communications.

I think the following replacement rule should work better, and is 
significantly more readable too.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"WEB-FRONTPAGE directory traversal fourdots request"; 
flow:to_server,established; \
uricontent: "..../"; nocase; reference:bugtraq,989; \
reference:cve,CAN-2000-0153; reference:arachnids,248; \
classtype:web-application-attack; sid:1000966;  rev:6;) \

Note that I changed the SID by adding 1,000,000 to it, since this isn't an 
official rule.






More information about the Snort-sigs mailing list