[Snort-sigs] new rule for detect web "=+" (generic + after =) attempt

Alex Kirk alex.kirk at ...435...
Wed Dec 14 06:57:16 EST 2005

I can understand the concept behind "=|" -- there are a vast number of 
web programs which are vulnerable to command injection via the use of 
pipes that enclose shell commands, a la 
"http://www.example.com/cgi-bin/foo.cgi?vuln=|rm -rf *|". Of course, 
you'd need to use such a rule with extreme caution, since there are 
places where this sort of thing is legitimate -- for example, if you run 
a Google search for 'allinurl: "%3D%7C"' (which allows you to look for 
pages whose URLs actually contain "=|"), you get 277 hits. I will add 
this to the Community rules, in case it has value for anyone out there, 
though it will be disabled by default.

I'm a lot less clear on the logic behind "=+". Rmkml, any information 
you can provide on why you chose this particular character sequence as 
something worth alerting on would be much appreciated. Meanwhile, I'm 
going to pop that rule on my desktop here for the next few hours, just 
to see how many alerts I get while doing normal daily web browsing, as 
this ought to give at least some indiciation of how false-positive prone 
it is.

Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.

>On Wed, 2005-12-14 at 10:08 +0100, rmkml wrote:
>>web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
>>(msg:"WEB-MISC generic cmd + after = attempt"; 
>>flow:to_server,established; uricontent:"|3D 2B|"; classtype:web-application-attack; )
>>this rules send event if on your uri, you have '=+' !
>>(http10/http11 ok)
>Why would you classify this as an attack? Any web form that is submitted
>via GET and with a field whose value starts with a space will match
>this. Can you explain why this (and for that matter '=|') concerns you?
>- Raz
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list