[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

dmitriy.dunavetsky at ...1922... dmitriy.dunavetsky at ...1922...
Wed Oct 8 06:12:13 EDT 2003

I have a question about $HTTP_PORTS - My understanding that we can not use 
ports lists with snort.  Is it true?

Thank you,

Dmitriy Dunavetsky
Security Analyst
Clorox Services Company
510 271-7631

Matt Kettler <mkettler at ...189...>
Sent by: snort-sigs-admin at lists.sourceforge.net
10/07/2003 03:14 PM

        To:     Hugo van der Kooij <hvdkooij at ...481...>, snort-sigs mailinglist 
<snort-sigs at lists.sourceforge.net>
        Fax to: 
        Subject:        Re: [Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

At 04:59 PM 10/7/2003, Hugo van der Kooij wrote:
>(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established;
>content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989;
>reference:cve,CAN-2000-0153; reference:arachnids,248;
>classtype:web-application-attack; sid:966;  rev:5;)

<style rant>

What's with the all these rules which consist entirely of ASCII text  are
written in hex format for no particularly good reason? What kind of drugs
do you need to be on to think that "|2e 2e 2e 2e 2f|" is a better idea 

Perhaps it's just copy-paste laziness from hex packet dumps, but it's
really quite silly and makes the intent of the rule significantly harder 
read IMO.

I don't write my emails in |68 65 78| do I?

</style rant>

The actual bug here appears to be that someone failed to use uricontent
instead of content where they should have. The original vulnerability only
pertains to the frontpage personal webserver following URL's containing
four dots as a form of directory traversal. Thus the string will only ever
appear in a URI. The false positive you saw was clearly not part of a URI,
and was part of general http communications.

I think the following replacement rule should work better, and is
significantly more readable too.

(msg:"WEB-FRONTPAGE directory traversal fourdots request";
flow:to_server,established; \
uricontent: "..../"; nocase; reference:bugtraq,989; \
reference:cve,CAN-2000-0153; reference:arachnids,248; \
classtype:web-application-attack; sid:1000966;  rev:6;) \

Note that I changed the SID by adding 1,000,000 to it, since this isn't an
official rule.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031008/60d4db42/attachment.html>

More information about the Snort-sigs mailing list