[Snort-sigs] False positives WEB-CGI calendar access

Daniel de Young daniel at ...1912...
Tue Sep 30 01:22:04 EDT 2003


On Mon, 2003-09-29 at 23:46, Johnathan Norman wrote:
> Well this rule , as with many of the "access" rules is way to vague. The
> rule should be changed to check for calendar_admin.pl which is the perl
> script that the rule is worried about.

according to:

http://www.securityfocus.com/bid/1215/discussion/

both calendar_admin.pl AND calendar.pl are vulnerable.  Perhaps the rule
was generalized to catch either scan AND anything else that came along.

rev:4 on such a simple rule seems to suggest it.  

in any event...

i suggest to the original poster that they duplicate and modify the
rule(s), give it an sid in the custom range and comment out the
original.  something like:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
calendar access";flow:to_server,established;
uricontent:"/calendar_admin.pl"; nocase; classtype:attempted-recon;
reference:CVE,CVE-2000-0432; sid:1000090; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
calendar access";flow:to_server,established; uricontent:"/calendar.pl";
nocase; classtype:attempted-recon; reference:CVE,CVE-2000-0432;
sid:1000091; rev:1;)

-OR-

they could live with the false positives... it's up to him/her

-daniel


> On Mon, 29 Sep 2003, Daniel de Young wrote:
> 
> > On Sun, 2003-09-28 at 22:11, Hugo van der Kooij wrote:
> >
> > > The signature:
> > >
> > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
> > > calendar access";flow:to_server,established; uricontent:"/calendar";
> > > nocase; classtype:attempted-recon; sid:882;  rev:4;)
> > >
> > > I have not yet figured out a better signature. (If anyone can please share
> > > your views.)
> >
> > This rule doesn't seem to be very useful on your network...
> >
> > If a request to "calender.html" from outside is valid activity, I'd just
> > comment out the rule.
> >
> > Am I missing something?
> >
> > -Daniel
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >





More information about the Snort-sigs mailing list