[Snort-sigs] False positive in 1861.9 (WEB-MISC Linksys router default username and password login attempt)

nnposter nnposter at ...592...
Wed Jan 19 15:20:23 EST 2005


Rule:  WEB-MISC Linksys router default username and password login attempt

--
Sid: 1861

--
False Negatives:
Current version of the rule improperly matches on any password 
that starts with "admin".


I am proposing to augment the PCRE clause with a terminator:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 
(msg:"WEB-MISC Linksys router default username and password login attempt"; 
flow:to_server,established; content:"Authorization|3A|"; nocase; 
pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46YWRtaW4[=\s]/smi"; 
reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:10;) 


Unless I am mistaken the rule could be further optimized by using the
credentials as a more unique pre-match and making the PCRE partially 
case sensitive to reduce false positives:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 
(msg:"WEB-MISC Linksys router default username and password login attempt"; 
flow:to_server,established; content:"YWRtaW46YWRtaW4"; 
pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi"; 
reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:10;) 

Cheers,
nnposter




More information about the Snort-sigs mailing list