[Snort-sigs] False positive - sid 1365

Paul Schmehl pauls at ...1311...
Fri Mar 18 11:08:36 EST 2005


/usr/local/share/snort/web-attacks.rules:alert tcp $EXTERNAL_NET any -> 
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; 
flow:to_server,established; content:"rm%20"; nocase; 
classtype:web-application-attack; sid:1365; rev:5;)

We get a ton of fps on this signature.  I'm wondering why the content isn't 
"%20rm%20" instead of "rm%20".  Wouldn't you need a space on either side 
for the command to be parsed/understood?

Here's a typical packet.  I've removed the last few lines because there was 
a username and password in there:

length = 885

000 : 47 45 54 20 2F 53 43 52 49 50 54 2F 31 30 35 39   GET /SCRIPT/1059
010 : 36 32 30 30 35 53 2F 73 63 72 69 70 74 73 2F 73   62005S/scripts/s
020 : 74 75 64 65 6E 74 2F 64 72 6F 70 62 6F 78 5F 66   tudent/dropbox_f
030 : 69 6C 65 73 5F 76 69 65 77 2E 70 6C 2F 2F 31 30   iles_view.pl//10
040 : 35 39 36 32 30 30 35 53 2F 70 72 6F 6A 30 35 73   5962005S/proj05s
050 : 2E 70 64 66 3F 46 49 4C 45 5F 44 4F 57 4E 4C 4F   .pdf?FILE_DOWNLO
060 : 41 44 2B 5F 68 6F 6D 65 70 61 67 65 2B 2B 31 35   AD+_homepage++15
070 : 38 35 32 31 32 38 39 34 2B 2F 31 30 35 39 36 32   85212894+/105962
080 : 30 30 35 53 2F 70 72 6F 6A 30 35 73 2E 70 64 66   005S/proj05s.pdf
090 : 2B 31 30 35 39 36 32 30 30 35 53 2B 20 48 54 54   +105962005S+ HTT
0a0 : 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 69   P/1.1..Accept: i
0b0 : 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F   mage/gif, image/
0c0 : 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61 67 65   x-xbitmap, image
0d0 : 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70 6A 70   /jpeg, image/pjp
0e0 : 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F   eg, application/
0f0 : 78 2D 73 68 6F 63 6B 77 61 76 65 2D 66 6C 61 73   x-shockwave-flas
100 : 68 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76   h, application/v
110 : 6E 64 2E 6D 73 2D 65 78 63 65 6C 2C 20 61 70 70   nd.ms-excel, app
120 : 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D   lication/vnd.ms-
130 : 70 6F 77 65 72 70 6F 69 6E 74 2C 20 61 70 70 6C   powerpoint, appl
140 : 69 63 61 74 69 6F 6E 2F 6D 73 77 6F 72 64 2C 20   ication/msword,
150 : 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74   */*..Referer: ht
160 : 74 70 3A 2F 2F 77 65 62 63 74 2E 75 74 64 61 6C   tp://webct.utdal
170 : 6C 61 73 2E 65 64 75 2F 53 43 52 49 50 54 2F 31   las.edu/SCRIPT/1
180 : 30 35 39 36 32 30 30 35 53 2F 73 63 72 69 70 74   05962005S/script
190 : 73 2F 73 74 75 64 65 6E 74 2F 64 72 6F 70 62 6F   s/student/dropbo
1a0 : 78 5F 66 69 6C 65 73 5F 76 69 65 77 2E 70 6C 3F   x_files_view.pl?
1b0 : 53 54 41 52 54 2B 5F 68 6F 6D 65 70 61 67 65 2B   START+_homepage+
1c0 : 2B 31 35 38 35 32 31 32 38 39 34 2B 70 72 6F 6A   +1585212894+proj
1d0 : 30 35 73 2E 70 64 66 2B 31 30 35 39 36 32 30 30   05s.pdf+10596200
1e0 : 35 53 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75   5S..Accept-Langu
1f0 : 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65   age: en-us..Acce
200 : 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69   pt-Encoding: gzi
210 : 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 65 72   p, deflate..User
220 : 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F   -Agent: Mozilla/
230 : 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B   4.0 (compatible;
240 : 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F    MSIE 6.0; Windo
250 : 77 73 20 4E 54 20 35 2E 30 29 0D 0A 48 6F 73 74   ws NT 5.0)..Host
260 : 3A 20 77 65 62 63 74 2E 75 74 64 61 6C 6C 61 73   : webct.utdallas
270 : 2E 65 64 75 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E   .edu..Connection
280 : 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F   : Keep-Alive..Co
290 : 6F 6B 69 65 3A 20 70 61 67 65 3D 31 35 33 38 38   okie: page=15388
2a0 : 34 35 39 39 33 5F 5F 31 36 33 31 33 39 38 36 36   45993__163139866
2b0 : 35 5F 5F 5F 5F 31 36 33 31 33 39 38 36 36 35 2E   5____1631398665.
2c0 : 70 64 66 5F 5F 41 6E 73 77 65 72 73 25 32 30 74   pdf__Answers%20t
2d0 : 6F 25 32 30 4D 69 64 25 32 30 54 65 72 6D 25 32   o%20Mid%20Term%2
2e0 : 30 54 65 73 74 5F 5F 46 5F 5F 6D 73 30 35 73 61   0Test__F__ms05sa
2f0 : 2E 70 64 66 3B 20 57 65 62 43 54 54 69 63 6B 65   .pdf; WebCTTicke
300 : 74 3D 75 73 65 72 6E 61 6D 65 25 33 44 63 78 72   t=username%3Dcxr

You'll notice that what's triggering the rule is this:
page=15388
2a0 : 34 35 39 39 33 5F 5F 31 36 33 31 33 39 38 36 36   45993__163139866
2b0 : 35 5F 5F 5F 5F 31 36 33 31 33 39 38 36 36 35 2E   5____1631398665.
2c0 : 70 64 66 5F 5F 41 6E 73 77 65 72 73 25 32 30 74   pdf__Answers%20t
2d0 : 6F 25 32 30 4D 69 64 25 32 30 54 65 72 6D 25 32   o%20Mid%20Term%2
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2e0 : 30 54 65 73 74 5F 5F 46 5F 5F 6D 73 30 35 73 61   0Test__F__ms05sa
2f0 : 2E 70 64 66 3B 20 57 65 62 43 54 54 69 63 6B 65   .pdf;

This is very common, as you would imagine, at a university.
	
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list