[Snort-sigs] Suggestions for new attack response rules
nick at ...2174...
Tue Dec 7 01:11:03 EST 2004
Jason said the following on 07/12/2004 05:33:
> the noalert will cause you to miss the commands send and all you will
> get is an alert telling you there was a non success response code. Even
> if you generate alerts for the cmd.exe/whatever access I think that if
> this is applied in practice you will find more non issues than you care
> to deal with...
Yep, that was the point.
> Assuming HTTP/1.1 and of course assuming the other 200 codes are issues
> But those are edge cases. I still think this method is prone to false
> negatives and puts you at more risk.
> GET /somepath/cmd.exe?deltree+**&exit+5
> and all your files are gone and the response is 500 server error with
> nadda alert to help you figure out why so after you rebuild it can
> happen again and again...
Nice example. ;-) point taken, it crushes my example code.
hehe, but that and other examples smack of bad config managment, and even worse
change control. You can't get IDS to sort those problems out. If the guys in
the boardroom don't care you haven't got a chance.
In my mind if your dev guys put an un-hardened box on the dmz (or LAN) you
should know about it (arpwatch?) and you should knock that box off the network
via the segment switch. You are doing them a favour in the end as you didn't
hack the box just pointed out the errors. Do it enough times and the boxes will
go on patched and they'll probably ask your permission beforehand too. No
December holiday party invites though. =) (scratch all the last paragraph if
you work in an educational institute [been there done that])
So I think back to the large list of backdoor shell banners as the attack
successful indicators and set your cmd.exe External->Internal rules to benign.
Yes they can be evaded i know but 99.999+% of the attacks are bots and script
kiddies, even most pentesters don't write their own tools anymore. You should of
patched! every computer related magazine has an article on it in every issue.
It's the norm now.
I just don't think there is a total solution using just IDS, you have to add
your other factors in as well. CC, CM, and boardroom buy in. If not and your
boss knows it's best endevours and accepts it then you are okay. If no one
accepts best endevours without the other factors, find another job it's not
More information about the Snort-sigs