[Snort-sigs] Suggestions for new attack response rules

Nick nick at ...2174...
Mon Dec 6 08:04:04 EST 2004

Joe Patterson said the following on 06/12/2004 13:14:
> To my mind, it's a progression of making life harder and harder for an
> attacker.  2123 is a good rule, IMHO, and will catch some successful
> attacks.  It *is* trivially evaded, but will catch successful attacks by
> attackers who don't put forth that trivial effort.  Signature 1292
> (ATTACK-RESPONSES directory listing) will catch the strangely common case of
> attacks that try and find a cmd shell using "/c dir", but is trivially
> evaded by attacks that instead send "/c echo moo".  Likewise, it will catch
> some things, but will miss attacks that put forth the effort to evade it.
> The next step in the evolution, as I see it, is my initial suggestion of
> looking for [23]?? http response codes.  This *should* catch even more
> things than either 2123 or 1292.  It will catch the attackers who are smart
> enough to evade those signatures, but not quite clever enough to make sure
> that all of their commands terminate with a false exit status, or some other
> method for avoiding the generation of a non-error status code.  The next
> step is my refined suggestion to have a rule which logs *some* context in
> the response to every attack.  This requires the attacker to craft his
> attacks in such a way that the response is indistinguishable *to an
> intelligent human analyst* from normal traffic.  This is certainly possible
> also, but it makes life harder for the attacker, and I am strongly in favor
> of making life very very hard for attackers.
> -Joe

How about checking for "*.cmd\.exe" (and other locally accessible commands) in 
the URI content, marking that packet (flowbits) and then checking for a 
non-error response? (baring in mind that the web application should only send 
non-error responses to good completed URIs - there's an RFC somewhere)

so, using an adaptation of N's @nardware.co.uk FP reduction in a previous thread...

  (msg:"I can see a windows cmd.exe"; sid:2000000; \
  rev:0; classtype:not-suspicious; \
  flow:to_server,established; \
  uricontent:"cmd.exe"; \
  flowbits: set,iscmdexe; \
  flowbits: noalert;)

  (msg:"cmd.exe attempt successful, danger danger Wil Robinson, get out of bed"; \
  sid:2000001; rev:0; classtype:web-application-attack; \
  flow:from_server,established; \
  content:"HTTP/1.1 200 OK\
  flowbits: isset,iscmdexe;)

I haven't tested the above as i don't have an IIS box.  But hopefully you'll get 
my meaning??? (treat it as pseudo code) ;-)



More information about the Snort-sigs mailing list