[Snort-sigs] SID:2229 - False positives

Paul Schmehl pauls at ...1311...
Tue Feb 8 15:30:15 EST 2005


<http://www.snort.org/snort-db/sid.html?sid=2229>

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; 
uricontent:"viewtopic.php"; reference:bugtraq,7979; 
reference:cve,2003-0486; reference:nessus,11767; 
classtype:web-application-attack; sid:2229; rev:4;)

Sid: 2229

Summary 	This event is generated when an attempt is made to exploit a known
vulnerability in the PHP application phpBB.

Well, no.  Actually this event is generated any time someone viewing a 
phpBB accesses a topic thread.  At a minimum, there should be a second 
content check with *something* that involves the exploit code.

For example, if you access the BID - <http://www.securityfocus.com/bid/7979>
and look at the exploit code provided:
<http://downloads.securityfocus.com/vulnerabilities/exploits/phpbb_sql.pl>
you will see that it takes more than just viewtopic.php to exploit the vuln.

It requires viewtopic.php plus "?sid={somevalue}&topic_id={somevalue}" (all 
of which can be found in normal requests) *plus* some sql code.

ISTM this rule ought to *at least* look something like this:

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; 
uricontent:"viewtopic.php"; content:"select"; nocase; 
reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; 
classtype:web-application-attack; sid:2229; rev:4;)

Or even better:

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; 
uricontent:"viewtopic.php"; content:"select"; nocase; content: "from"; 
nocase; content: "where"; nocase; reference:bugtraq,7979; 
reference:cve,2003-0486; reference:nessus,11767; 
classtype:web-application-attack; sid:2229; rev:4;)

N'est pas?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list