[Snort-sigs] Avoidance of 2230.5 (WEB-MISC NetGear router default password login attempt admin/password)

Matthew Jonkman matt at ...2436...
Sat Jul 3 07:48:11 EDT 2004

These and the others seem to be valid and good suggestions. Any idea 
when these will be updated in the rules?

If it'll be a bit we can post the updated versions on bleeding. I don't 
think that's the best way to go though.


nnposter at ...592... wrote:

> Rule:  WEB-MISC NetGear router default password login attempt admin/password
> --
> Sid: 2230
> --
> False Negatives:
> Current version of the rule incorrectly assumes specific spacing. 
> As a result, an attacker can easily get around the signature.
> See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
> See http://www.ietf.org/rfc/rfc2617.txt
> I am proposing to convert the authentication clause to PCRE:
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
> (msg:"WEB-MISC NetGear router default password login attempt admin/password"; 
> flow:to_server,established; content:"YWRtaW46cGFzc3dvcmQ"; 
> pcre:"/^Authorization\x3a\s*Basic +(?-i)YWRtaW46cGFzc3dvcmQ/mi"; 
> reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:6;)
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list