[Snort-sigs] SID 1561 WEB-MISC ?open access

Knut Bjornstad kbjo at ...1893...
Wed Apr 14 05:05:00 EDT 2004


What is this for? 

The rule documentation says:
"This event is generated when an attempt is made to compromise a host
 running a Web server or a vulnerable application on a web server.

 Many known vulnerabilities exist for each implementation and the
 attack scenarios are legion.

 Some applications do not perform stringent checks when validating the
 credentials of a client host connecting to the services offered on a
 host server. This can lead to unauthorized access and possibly escalated
 privileges to that of the administrator. Data stored on the machine can
 be compromised and trust relationships between the victim server and
 other hosts can be exploited by the attacker."

I am not sure what is talked about, this seems to general. I was unable
to find out what vulnerabilitie(es) are meant here. There aren't any
references either.

The rule:
 "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
 ?open access"; flow:to_server,established; uricontent:"?open"; nocase;
 classtype:web-application-activity; sid:1561; rev:4;)"

This will fire on anything with an argument starting with "open" no
matter what is opened. I find this extremely general and FP-prone.

E.g. in my own net I observe the following Domino-related statements:

GET /xxxx/crcoins.nsf/menu?openAgent&id=10.HTTP/1.1

GET /yyyy/zzzz/launcher.nsf?Open HTTP/1.1

But I think this will not be the only type of false positives., so I
think the "False positive"-field shoul not be 
"None known"

but rather

"Will fire on anytrhing with ?open in it"

or similar.

-- 
--Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
--kbjo at ...1893... -- t:47 23 14 53 36 -- mob: 901 15 917 --




More information about the Snort-sigs mailing list