[Snort-sigs] Re: [Snort-users] Community Rule Update

Alex Kirk alex.kirk at ...435...
Mon Apr 4 06:11:00 EDT 2005


Certainly...here's the list from the last update:

100000126 || COMMUNITY MISC GoodTech Telnet Server Buffer Overflow 
Attempt || cve,2005-0768 || 
100000127 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script 
Include Attack formmail.inc.php || bugtraq,12735
100000128 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script 
Include Attack download_center_lite.inc.php || bugtraq,12735
100000129 || COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service 
Infinite Loop DoS || bugtraq,10014 || 
100000130 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS 
|| bugtraq,12778
100000131 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS 
- Floppy Access || bugtraq,12778
100000132 || COMMUNITY WEB-MISC Proxy Server Access

Jason -- assuming I've understood you correctly, and that this rule will 
fire on all three types of proxy server, I'll make that change shortly; 
otherwise I would think two rules made sense.

As to the idea of a VALID_PROXY_SERVERS variable, it makes sense -- *if* 
you've gone through as an admin and defined that variable. The problem 
is, for people who are just letting Oinkmaster grab new rules without 
touching their conf, this rule would break Snort, since they wouldn't 
have that variable defined. That said, though, it's a good way to cut 
down false positives if you take the time to define the variable, so 
I'll add your suggestion to the doc.

Alex Kirk
Research Analyst/
Community Rules Maintainer
Sourcefire, Inc.

> Can we get an email with the changed or new rules put out in addition 
> to the notification? That'd be convenient. :)
> Matt
> Jason Haar wrote:
>> Alex Kirk wrote:
>>> Additionally, user Alexandru Ionica <gremlin at ...3039...> submitted a
>>> rule which looks for rogue proxy servers running in an organization's
>>> network. Anyone who wishes to submit rules may do so at
>>> http://www.snort.org/reg-bin/rulesubmit.cgi.
>> Hmm - where should bug reports for community rules go? :-)
>> I think that rule needs to be fleshed out. For one thing it'd trigger on
>> every proxy server you have, so maybe it should include a "var"
>> definition. Also it is specific to Squid - the following will also match
>> ISA and NetCache.
>> ------------------- change ----------------
>> #Change the following VALID_PROXY_SERVERS to define the valid proxy
>> servers on your network,
>> #otherwise this will never trigger (e.g. "var VALID_PROXY_SERVERS
>> [,]")
>> alert tcp !$VALID_PROXY_SERVERS any -> $EXTERNAL_NET any (msg:"COMMUNITY
>> WEB-MISC Proxy \
>> Server Access"; flow:established,from_server;
>> content:"Proxy-Connection"; nocase; content:"Via"; nocase; 
>> content:"HTTP";\
>>  nocase; content: !"ERR_ACCESS_DENIED"; nocase; logto: "proxy";
>> sid:100000132; rev:2;)
>> -------------------------------------------------

More information about the Snort-sigs mailing list