[Snort-sigs] new rule for detect web "=+" (generic + after =) attempt

Alex Kirk alex.kirk at ...435...
Wed Dec 14 13:51:10 EST 2005


FYI, after a brief off-list conversation, rmkml realzied that searching 
for "=+" would not be as useful as he had thought, and has rescinded the 
rule.

Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.

> I can understand the concept behind "=|" -- there are a vast number of 
> web programs which are vulnerable to command injection via the use of 
> pipes that enclose shell commands, a la 
> "http://www.example.com/cgi-bin/foo.cgi?vuln=|rm -rf *|". Of course, 
> you'd need to use such a rule with extreme caution, since there are 
> places where this sort of thing is legitimate -- for example, if you 
> run a Google search for 'allinurl: "%3D%7C"' (which allows you to look 
> for pages whose URLs actually contain "=|"), you get 277 hits. I will 
> add this to the Community rules, in case it has value for anyone out 
> there, though it will be disabled by default.
>
> I'm a lot less clear on the logic behind "=+". Rmkml, any information 
> you can provide on why you chose this particular character sequence as 
> something worth alerting on would be much appreciated. Meanwhile, I'm 
> going to pop that rule on my desktop here for the next few hours, just 
> to see how many alerts I get while doing normal daily web browsing, as 
> this ought to give at least some indiciation of how false-positive 
> prone it is.
>
> Alex Kirk
> Community Rules Maintainer
> Sourcefire, Inc.
>
>> On Wed, 2005-12-14 at 10:08 +0100, rmkml wrote:
>>
>>  
>>
>>> web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
>>> $HTTP_PORTS (msg:"WEB-MISC generic cmd + after = attempt"; 
>>> flow:to_server,established; uricontent:"|3D 2B|"; 
>>> classtype:web-application-attack; )
>>>
>>> this rules send event if on your uri, you have '=+' !
>>> (http10/http11 ok)
>>>   
>>
>>
>> Why would you classify this as an attack? Any web form that is submitted
>> via GET and with a field whose value starts with a space will match
>> this. Can you explain why this (and for that matter '=|') concerns you?
>>
>> - Raz
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through 
>> log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>  
>>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list