[Snort-sigs] False positive - sid 1365

Chris Kronberg smil at ...1754...
Fri Mar 18 11:24:18 EST 2005

On Fri, 18 Mar 2005, Paul Schmehl wrote:

> /usr/local/share/snort/web-attacks.rules:alert tcp $EXTERNAL_NET any -> 
> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; 
> flow:to_server,established; content:"rm%20"; nocase; 
> classtype:web-application-attack; sid:1365; rev:5;)
> We get a ton of fps on this signature.  I'm wondering why the content isn't

   So do I, yet...

> "%20rm%20" instead of "rm%20".  Wouldn't you need a space on either side for 
> the command to be parsed/understood?

   "%20rm%20" will not catch attempts ala "somescript.cgi?rm%20/etc/passwd"
   or "somescript.cgi?bla=blub;rm%20/tmp/laber".
   I had seen attempts like that in the past (although the script in
   question was not vulnerable). Some attackers used "rm", others used
   "/bin/rm". A more recent example may be

   The only thing you know for sure is the space after the "rm".
   If you are sure to catch all possible combinations a pcre rule
   should reduce the fps significantly (I'll try to write a rule
   after a night of sleep; can't think straight right now).


                                                   Chris Kronberg.

More information about the Snort-sigs mailing list