[Snort-sigs] Re: False Positive on 1:1333

Nigel Houghton nigel at ...435...
Tue Dec 20 21:41:02 EST 2005


This rule is now in deleted.rules where it remains for posterity.

On  0, Luciano Bello <lbello at ...3185...> allegedly wrote:
> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work. 
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> # 
> # $Id$
> #
> # 
> 
> Rule:  WEB-ATTACKS id command attempt
> 
> --
> Sid:1333
> 
> [... I will only fill my comments. The originals comments can be found in http://www.snort.org/pub-bin/sigs.cgi?sid=1333 ...]
> 
> --
> Affected Systems: Unix-like
> 
> --
> False Positives: Mambo[1] generate links that makes a false positive situation. The links are similar to this: <a href="index.php?option=content&task=view&id=91&Itemid=102&lang=es" class="mainlevel" > where you can see ';id' as a variable assignation not an intent to run /usr/bin/id. I made a little modification to the original rule (sid: 1333):
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B 69 64|"; distance:0; isdataat:1,relative; content:!"|3D|"; within:1; classtype:web-application-attack; sid:1333; rev:6;)
> This rule do not alert if the ';id' have a '=' contiguous. I'm not an expert in snort rules, so feel free to improve it.
> 
> --
> False Negatives: If the attacker run '; id' snort do not alert.
> 
> --
> Contributors: Sourcefire Research Team Nigel Houghton <nigel.houghton at ...435...>
> Additional information from Anton Chuvakin <http://www.chuvakin.org>
> Additional information from Luciano Bello <http://lbello@...3185...> 
> 
> -- 
> Additional References:sid: 1332
> man id
> [1] http://www.mamboserver.com/
> 

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




More information about the Snort-sigs mailing list