[Snort-sigs] new rule for detect web "=+" (generic + after =) attempt
alex.kirk at ...435...
Wed Dec 14 06:57:16 EST 2005
I can understand the concept behind "=|" -- there are a vast number of
web programs which are vulnerable to command injection via the use of
pipes that enclose shell commands, a la
"http://www.example.com/cgi-bin/foo.cgi?vuln=|rm -rf *|". Of course,
you'd need to use such a rule with extreme caution, since there are
places where this sort of thing is legitimate -- for example, if you run
a Google search for 'allinurl: "%3D%7C"' (which allows you to look for
pages whose URLs actually contain "=|"), you get 277 hits. I will add
this to the Community rules, in case it has value for anyone out there,
though it will be disabled by default.
I'm a lot less clear on the logic behind "=+". Rmkml, any information
you can provide on why you chose this particular character sequence as
something worth alerting on would be much appreciated. Meanwhile, I'm
going to pop that rule on my desktop here for the next few hours, just
to see how many alerts I get while doing normal daily web browsing, as
this ought to give at least some indiciation of how false-positive prone
Community Rules Maintainer
>On Wed, 2005-12-14 at 10:08 +0100, rmkml wrote:
>>web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>>(msg:"WEB-MISC generic cmd + after = attempt";
>>flow:to_server,established; uricontent:"|3D 2B|"; classtype:web-application-attack; )
>>this rules send event if on your uri, you have '=+' !
>Why would you classify this as an attack? Any web form that is submitted
>via GET and with a field whose value starts with a space will match
>this. Can you explain why this (and for that matter '=|') concerns you?
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems? Stop! Download the new AJAX search engine that makes
>searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs