[Snort-sigs] Suggestions for new attack response rules

Esler, Joel - Contractor joel.esler at ...783...
Fri Dec 3 07:21:04 EST 2004


It's easy to write a PCRE rule to detect all the variants.

J

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Chris
Keladis
Sent: Friday, December 03, 2004 10:13 AM
To: Joe Patterson
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Suggestions for new attack response rules


Joe Patterson wrote:

Hi Joe,

> The primary utility I'm trying to get to here is this.  Looking at one

> of my apache webservers, in the last two weeks I've gotten 70 requests

> for /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir.  They all got a 
> 400 response.  They all triggered an IDS alert.  Those alerts weren't 
> really false positives.  It was a real attack, but the server wasn't 
> vulnerable.  I certainly can't ignore those alerts, but I can take my 
> time getting to them.
> 
> However, if someone were to (unbeknownst to me) stick an unpatched IIS

> box in the DMZ, and that same request came in and received a 200 OK 
> response, I would absolutely want to know about it immediately.  
> That's what I see as the primary value of these rules.

Brian has a point in that you cant rely on the web-server return-code 
being a certain value.

I think these type of rules are site-specific and best kept confined to 
local.rules, and preferably, confined to specific machines.

You will get FPs again when somebody puts a webserver online that 
doesn't return the anticipated 400 return code for the requests, but 
that decision is left up to the sites administrator.

As Brian said, it is not uncommon to have a web-server return 200 OK for

everything.

This type of thing is better handled by technology such as Sourcefire's 
RNA, which adds secondary intelligence to unify the alerts you get.

That's not to say other FPs cant be weeded out using rules, just this 
particular one is not best done by rules.





Regards,

Chris.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list