[Snort-sigs] Suggestions for new attack response rules
security at ...704...
Mon Dec 6 21:34:06 EST 2004
> How about checking for "*.cmd\.exe" (and other locally accessible
> commands) in the URI content, marking that packet (flowbits) and then
> checking for a non-error response? (baring in mind that the web
> application should only send non-error responses to good completed URIs
> - there's an RFC somewhere)
> so, using an adaptation of N's @nardware.co.uk FP reduction in a
> previous thread...
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
> (msg:"I can see a windows cmd.exe"; sid:2000000; \
> rev:0; classtype:not-suspicious; \
> flow:to_server,established; \
> uricontent:"cmd.exe"; \
> flowbits: set,iscmdexe; \
> flowbits: noalert;)
the noalert will cause you to miss the commands send and all you will
get is an alert telling you there was a non success response code. Even
if you generate alerts for the cmd.exe/whatever access I think that if
this is applied in practice you will find more non issues than you care
to deal with...
> Alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any \
> (msg:"cmd.exe attempt successful, danger danger Wil Robinson, get out
> of bed"; \
> sid:2000001; rev:0; classtype:web-application-attack; \
> flow:from_server,established; \
> content:"HTTP/1.1 200 OK\
> flowbits: isset,iscmdexe;)
Assuming HTTP/1.1 and of course assuming the other 200 codes are issues
Following a POST command, this indicates success, but the textual part
of the response line indicates the URI by which the newly created
document should be known.
The request has been accepted for processing, but the processing has not
been completed. The request may or may not eventually be acted upon, as
it may be disallowed when processing actually takes place. there is no
facility for status returns from asynchronous operations such as this.
Partial Information 203
When received in the response to a GET command, this indicates that the
returned metainformation is not a definitive set of the object from a
server with a copy of the object, but is from a private overlaid web.
This may include annotation information about the object, for example.
No Response 204
Server has received the request but there is no information to send
back, and the client should stay in the same document view. This is
mainly to allow input for scripts without changing the document at the
But those are edge cases. I still think this method is prone to false
negatives and puts you at more risk.
and all your files are gone and the response is 500 server error with
nadda alert to help you figure out why so after you rebuild it can
happen again and again...
> I haven't tested the above as i don't have an IIS box. But hopefully
> you'll get my meaning??? (treat it as pseudo code) ;-)
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs