[Snort-sigs] Suggestions for new attack response rules

Jason security at ...704...
Mon Dec 6 21:34:06 EST 2004

> How about checking for "*.cmd\.exe" (and other locally accessible 
> commands) in the URI content, marking that packet (flowbits) and then 
> checking for a non-error response? (baring in mind that the web 
> application should only send non-error responses to good completed URIs 
> - there's an RFC somewhere)
> so, using an adaptation of N's @nardware.co.uk FP reduction in a 
> previous thread...
>  (msg:"I can see a windows cmd.exe"; sid:2000000; \
>  rev:0; classtype:not-suspicious; \
>  flow:to_server,established; \
>  uricontent:"cmd.exe"; \
>  flowbits: set,iscmdexe; \
>  flowbits: noalert;)

the noalert will cause you to miss the commands send and all you will 
get is an alert telling you there was a non success response code. Even 
if you generate alerts for the cmd.exe/whatever access I think that if 
this is applied in practice you will find more non issues than you care 
to deal with...

>  (msg:"cmd.exe attempt successful, danger danger Wil Robinson, get out 
> of bed"; \
>  sid:2000001; rev:0; classtype:web-application-attack; \
>  flow:from_server,established; \
>  content:"HTTP/1.1 200 OK\
>  flowbits: isset,iscmdexe;)

Assuming HTTP/1.1 and of course assuming the other 200 codes are issues

Following a POST command, this indicates success, but the textual part 
of the response line indicates the URI by which the newly created 
document should be known.

Accepted 202
The request has been accepted for processing, but the processing has not 
been completed. The request may or may not eventually be acted upon, as 
it may be disallowed when processing actually takes place. there is no 
facility for status returns from asynchronous operations such as this.

Partial Information 203
When received in the response to a GET command, this indicates that the 
returned metainformation is not a definitive set of the object from a 
server with a copy of the object, but is from a private overlaid web. 
This may include annotation information about the object, for example.

No Response 204
Server has received the request but there is no information to send 
back, and the client should stay in the same document view. This is 
mainly to allow input for scripts without changing the document at the 
same time.

But those are edge cases. I still think this method is prone to false 
negatives and puts you at more risk.

GET /somepath/cmd.exe?deltree+**&exit+5

and all your files are gone and the response is 500 server error with 
nadda alert to help you figure out why so after you rebuild it can 
happen again and again...

> I haven't tested the above as i don't have an IIS box.  But hopefully 
> you'll get my meaning??? (treat it as pseudo code) ;-)
> cheers,
> Nick.
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list