[Snort-sigs] Suggestions for new attack response rules

Nick nick at ...2174...
Tue Dec 7 01:11:03 EST 2004

Jason said the following on 07/12/2004 05:33:

> the noalert will cause you to miss the commands send and all you will 
> get is an alert telling you there was a non success response code. Even 
> if you generate alerts for the cmd.exe/whatever access I think that if 
> this is applied in practice you will find more non issues than you care 
> to deal with...

Yep, that was the point.

> Assuming HTTP/1.1 and of course assuming the other 200 codes are issues


> But those are edge cases. I still think this method is prone to false 
> negatives and puts you at more risk.
> GET /somepath/cmd.exe?deltree+**&exit+5
> and all your files are gone and the response is 500 server error with 
> nadda alert to help you figure out why so after you rebuild it can 
> happen again and again...

Nice example. ;-)  point taken, it crushes my example code.

hehe, but that and other examples smack of bad config managment, and even worse 
change control.   You can't get IDS to sort those problems out.  If the guys in 
the boardroom don't care you haven't got a chance.

In my mind if your dev guys put an un-hardened box on the dmz (or LAN) you 
should know about it (arpwatch?) and you should knock that box off the network 
via the segment switch.  You are doing them a favour in the end as you didn't 
hack the box just pointed out the errors.  Do it enough times and the boxes will 
go on patched and they'll probably ask your permission beforehand too.  No 
December holiday party invites though. =)  (scratch all the last paragraph if 
you work in an educational institute [been there done that])

So I think back to the large list of backdoor shell banners as the attack 
successful indicators and set your cmd.exe External->Internal rules to benign.
Yes they can be evaded i know but 99.999+% of the attacks are bots and script 
kiddies, even most pentesters don't write their own tools anymore. You should of 
patched! every computer related magazine has an article on it in every issue. 
It's the norm now.

I just don't think there is a total solution using just IDS, you have to add 
your other factors in as well.  CC, CM, and boardroom buy in.  If not and your 
boss knows it's best endevours and accepts it then you are okay.  If no one 
accepts best endevours without the other factors, find another job it's not 
worth it.




More information about the Snort-sigs mailing list