[Snort-sigs] SID:2229 - False positives

Ofer Shezaf ofer at ...2970...
Mon Feb 21 07:04:26 EST 2005


Paul Schmehl wrote on February 09, 2005
> Subject: [Snort-sigs] SID:2229 - False positives
> 
> Summary 	This event is generated when an attempt is made to exploit a
> known
> vulnerability in the PHP application phpBB.
> 
> Well, no.  Actually this event is generated any time someone viewing a
> phpBB accesses a topic thread.  At a minimum, there should be a second
> content check with *something* that involves the exploit code.

Snort has many rules that alert on access as opposed to attack for many
different vulnerable applications. The idea is probably to alert you as a
security person that such a system is installed on your network, and once
you know that you have such a system and it is patched remove the rule.

You may find the signatures you are looking for at
http://www.bleedingsnort.com/ 

You will also find that viewtopic is vulnerable in addition to SQL
injection, also to XSS and PHP injection, which suggests that a generic
signature for it may be the right thing.

> ISTM this rule ought to *at least* look something like this:
> 
> Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established;
> uricontent:"viewtopic.php"; content:"select"; nocase;
> reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767;
> classtype:web-application-attack; sid:2229; rev:4;)
> 

The problem is that no simple signature will encompass all possibilities of
an application layer attack such as SQL injection, the two examples you
brought are just too easy to evade.

Snort does its best by alerting you of a potential problem, but actually
detecting application layer attacks is beyond the scope of snort or any
other network layer IDS.

> Or even better:
> 
> Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established;
> uricontent:"viewtopic.php"; content:"select"; nocase; content: "from";
> nocase; content: "where"; nocase; reference:bugtraq,7979;
> reference:cve,2003-0486; reference:nessus,11767;
> classtype:web-application-attack; sid:2229; rev:4;)
> 
> N'est pas?
> 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 

Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers at ...2971...
http://www.breach.com





More information about the Snort-sigs mailing list