[Snort-sigs] Avoidance of 1260.10 (WEB-MISC long basic authorization string)

nnposter at ...592... nnposter at ...592...
Tue Jul 6 10:05:03 EDT 2004


From: "Brian" <bmc at ...95...>
> On Fri, Jul 02, 2004 at 06:00:00PM -0600, nnposter at ...592... wrote:
> > 
> > Rule:  WEB-MISC long basic authorization string
> > 
> > --
> > Sid: 1260
> > 
> > --
> > False Negatives:
> > Current version of the rule incorrectly assumes specific spacing. 
> > As a result, an attacker can easily get around the signature.
> > 
> > See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
> > See http://www.ietf.org/rfc/rfc2617.txt
> > 
> > 
> > I am proposing to convert the authentication clause to PCRE:
> > 
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> > (msg:"WEB-MISC long basic authorization string"; 
> > flow:to_server,established; 
> > content:"Authorization|3A|"; nocase; 
> > pcre:"/^Authorization\x3a\s*Basic [^\n]{512}/smi"; 
> > reference:bugtraq,3230; reference:cve,2001-1067; 
> > classtype:attempted-dos; sid:1260; rev:11;)
> 
> close, except tabs are accepted after Basic.  so... 
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-MISC long basic authorization string";
> flow:to_server,established; content:"Authorization|3A|";
> pcre:"/^Authorization\x3a\s*Basic\s[^\n]{512}/smi";
> reference:bugtraq,3230; reference:cve,2001-1067;
> classtype:attempted-dos; sid:1260; rev:11;)

I have followed RFC 2617, which permits only spaces, not LWS. 
However, I agree that it makes sense to extend it to \s if there are 
non-compliant web servers that accept LWS as a separator between the 
scheme token and the scheme-specific payload.

If \s is more desirable then a few of the other updates should be 
adjusted. Namely 1817, 1860, 1861, 2230.

Cheers,
nnposter




More information about the Snort-sigs mailing list