[Snort-sigs] Avoidance of 2230.5 (WEB-MISC NetGear router default password login attempt admin/password)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 22:36:14 EDT 2004


Rule:  WEB-MISC NetGear router default password login attempt admin/password

--
Sid: 2230

--
False Negatives:
Current version of the rule incorrectly assumes specific spacing. 
As a result, an attacker can easily get around the signature.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
See http://www.ietf.org/rfc/rfc2617.txt


I am proposing to convert the authentication clause to PCRE:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"WEB-MISC NetGear router default password login attempt admin/password"; 
flow:to_server,established; content:"YWRtaW46cGFzc3dvcmQ"; 
pcre:"/^Authorization\x3a\s*Basic +(?-i)YWRtaW46cGFzc3dvcmQ/mi"; 
reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:6;)




More information about the Snort-sigs mailing list