[Snort-sigs] Avoidance of 1860.4 (WEB-MISC Linksys router default password login attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 17:06:20 EDT 2004

Rule:  WEB-MISC Linksys router default password login attempt

Sid: 1860



Detailed Information:

Affected Systems:

Attack Scenarios:

Ease of Attack:

False Positives:

False Negatives:
Current version of the rule incorrectly assumes specific HTTP header
capitalization, specific authentication scheme capitalization, and 
overall spacing. As a result, an attacker can easily get around the

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
See http://www.ietf.org/rfc/rfc2617.txt
Corrective Action:


Additional References:

I am proposing to convert the authentication clause to PCRE while
preserving the maximum immutable part as a content clause for faster

alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 
(msg:"WEB-MISC Linksys router default password login attempt"; 
flow:to_server,established; content:" OmFkbWlu"; 
pcre:"/^Authorization\x3a\s*Basic +(?-i)OmFkbWlu/mi"; 
reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:5;)

P.S. Note the intentional use of both \s and " " 
     for precise protocol compliance.

More information about the Snort-sigs mailing list