[Snort-sigs] False positives for SID 972

Gunnar Wolf gwolf at ...2486...
Mon May 17 07:25:09 EDT 2004


My system is generating lots of false positives for SID 972 (WEB-IIS
%2E-asp access). I am attaching here the payload for one example:

 length = 491

000 : 47 45 54 20 2F 63 6C 69 63 6B 73 2F 63 6C 69 63   GET /clicks/clic
010 : 6B 73 2E 61 73 70 3F 63 6F 64 69 67 6F 3D 69 39   ks.asp?codigo=i9
020 : 70 37 37 35 6A 6A 30 70 6B 72 26 70 72 6F 6D 6F   p775jj0pkr&promo
030 : 63 69 6F 6E 3D 63 75 30 33 30 34 6D 61 30 33 20   cion=cu0304ma03 
040 : 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74   HTTP/1.1..Accept
050 : 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20   : */*..Referer: 
060 : 68 74 74 70 3A 2F 2F 36 35 2E 35 34 2E 31 38 37   http://65.54.187
070 : 2E 32 35 30 2F 63 67 69 2D 62 69 6E 2F 6C 69 6E   .250/cgi-bin/lin
080 : 6B 72 64 3F 5F 6C 61 6E 67 3D 45 53 26 6C 61 68   krd?_lang=ES&lah
090 : 3D 65 37 34 33 31 64 32 35 63 33 37 30 65 63 34   =e7431d25c370ec4
0a0 : 62 31 64 34 37 31 63 37 33 66 34 37 63 62 62 31   b1d471c73f47cbb1
0b0 : 30 26 6C 61 74 3D 31 30 38 34 35 36 35 33 31 34   0&lat=1084565314
0c0 : 26 68 6D 5F 5F 5F 61 63 74 69 6F 6E 3D 68 74 74   &hm___action=htt
0d0 : 70 25 33 61 25 32 66 25 32 66 77 77 77 25 32 65   p%3a%2f%2fwww%2e
0e0 : 70 75 6E 74 6F 73 63 6C 75 62 25 32 65 63 6F 6D   puntosclub%2ecom
0f0 : 25 32 66 63 6C 69 63 6B 73 25 32 66 63 6C 69 63   %2fclicks%2fclic
100 : 6B 73 25 32 65 61 73 70 25 33 66 63 6F 64 69 67   ks%2easp%3fcodig
110 : 6F 25 33 64 69 39 70 37 37 35 6A 6A 30 70 6B 72   o%3di9p775jj0pkr
120 : 25 32 36 70 72 6F 6D 6F 63 69 6F 6E 25 33 64 63   %26promocion%3dc
130 : 75 30 33 30 34 6D 61 30 33 0D 0A 41 63 63 65 70   u0304ma03..Accep
140 : 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 73 2D 6D   t-Language: es-m
150 : 78 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69   x..Accept-Encodi
160 : 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74   ng: gzip, deflat
170 : 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D   e..User-Agent: M
180 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70   ozilla/4.0 (comp
190 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30   atible; MSIE 5.0
1a0 : 3B 20 57 69 6E 64 6F 77 73 20 39 35 3B 20 44 69   ; Windows 95; Di
1b0 : 67 45 78 74 29 0D 0A 48 6F 73 74 3A 20 77 77 77   gExt)..Host: www
1c0 : 2E 70 75 6E 74 6F 73 63 6C 75 62 2E 63 6F 6D 0D   .puntosclub.com.
1d0 : 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65   .Connection: Kee
1e0 : 70 2D 41 6C 69 76 65 0D 0A 0D 0A                  p-Alive....

As you can see, this script passes a 'hm___action' parameter in which
an URL is included, hex-encoding the period character. Probably the
rule that detects this attack should be changed from:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,CAN-1999-0253; classtype:web-application-activity; sid:972; rev:7;)

to:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"^[^\?]+%2easp"; nocase; reference:bugtraq,1814; reference:cve,CAN-1999-0253; classtype:web-application-activity; sid:972; rev:7;)

or something equivalent - What triggered this false positive is that
the .asp is correctly invoked, but after the '?' we see a '%2easp'
string. The modification I suggest requires no '?' character to appear
before the %2easp. 

Thank you very much.

-- 
Gunnar Wolf - gwolf at ...2486... - (+52-55)5630-9700 ext. 1366
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF




More information about the Snort-sigs mailing list