[Snort-sigs] False positive - sid:1344

Paul Schmehl pauls at ...1311...
Fri Mar 18 12:02:40 EST 2005


/usr/local/share/snort/web-attacks.rules:alert tcp $EXTERNAL_NET any -> 
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; 
flow:to_server,established; content:"cc%20"; nocase; 
classtype:web-application-attack; sid:1344; rev:5;)

We're seeing fps on this one as well.  Here's a payload:

000 : 47 45 54 20 2F 31 30 32 35 34 32 30 30 35 53 2F   GET /102542005S/
010 : 43 6C 61 73 73 25 32 30 46 69 6C 65 73 2F 43 43   Class%20Files/CC
020 : 43 43 25 32 30 47 6F 6C 66 2E 70 64 66 20 48 54   CC%20Golf.pdf HT
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
030 : 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20   TP/1.0..Accept:
040 : 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67 65   image/gif, image
050 : 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61 67   /x-xbitmap, imag
060 : 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70 6A   e/jpeg, image/pj
070 : 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E   peg, application
080 : 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 6C 2C 20 61   /vnd.ms-excel, a
090 : 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D   pplication/vnd.m
0a0 : 73 2D 70 6F 77 65 72 70 6F 69 6E 74 2C 20 61 70   s-powerpoint, ap
0b0 : 70 6C 69 63 61 74 69 6F 6E 2F 6D 73 77 6F 72 64   plication/msword
0c0 : 2C 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20   , */*..Referer:
0d0 : 68 74 74 70 3A 2F 2F 77 65 62 63 74 2E 75 74 64   http://webct.utd
0e0 : 61 6C 6C 61 73 2E 65 64 75 2F 31 30 32 35 34 32   allas.edu/102542
0f0 : 30 30 35 53 2F 43 6C 61 73 73 25 32 30 46 69 6C   005S/Class%20Fil
100 : 65 73 2F 70 72 6F 6A 65 63 74 25 32 30 53 50 52   es/project%20SPR
110 : 49 4E 47 30 35 2E 68 74 6D 0D 0A 41 63 63 65 70   ING05.htm..Accep
120 : 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75   t-Language: en-u
130 : 73 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D   s..User-Agent: M
140 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70   ozilla/4.0 (comp
150 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30   atible; MSIE 6.0
160 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31   ; Windows NT 5.1
170 : 29 0D 0A 48 6F 73 74 3A 20 77 65 62 63 74 2E 75   )..Host: webct.u
180 : 74 64 61 6C 6C 61 73 2E 65 64 75 0D 0A 43 6F 6F   tdallas.edu..Coo
190 : 6B 69 65 3A 20 57 65 62 43 54 54 69 63 6B 65 74   kie: WebCTTicket

Again, I clipped off the username password portion of the packet.

ISTM that both these sids (1344 and 1365) would benefit from using pcre so 
you could parse for prefixes that make sense - for example 
pcre:[\/\s]?cc\s+].

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list