[Snort-sigs] Avoidance of 1260.10 (WEB-MISC long basic authorization string)

Brian bmc at ...95...
Tue Jul 6 07:53:04 EDT 2004


On Fri, Jul 02, 2004 at 06:00:00PM -0600, nnposter at ...592... wrote:
> 
> Rule:  WEB-MISC long basic authorization string
> 
> --
> Sid: 1260
> 
> --
> False Negatives:
> Current version of the rule incorrectly assumes specific spacing. 
> As a result, an attacker can easily get around the signature.
> 
> See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
> See http://www.ietf.org/rfc/rfc2617.txt
> 
> 
> I am proposing to convert the authentication clause to PCRE:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-MISC long basic authorization string"; 
> flow:to_server,established; 
> content:"Authorization|3A|"; nocase; 
> pcre:"/^Authorization\x3a\s*Basic [^\n]{512}/smi"; 
> reference:bugtraq,3230; reference:cve,2001-1067; 
> classtype:attempted-dos; sid:1260; rev:11;)

close, except tabs are accepted after Basic.  so... 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC long basic authorization string";
flow:to_server,established; content:"Authorization|3A|";
pcre:"/^Authorization\x3a\s*Basic\s[^\n]{512}/smi";
reference:bugtraq,3230; reference:cve,2001-1067;
classtype:attempted-dos; sid:1260; rev:11;)

-b




More information about the Snort-sigs mailing list