[Snort-sigs] False positive - sid 1365

Paul Schmehl pauls at ...1311...
Fri Mar 18 12:16:09 EST 2005

--On Friday, March 18, 2005 08:23:14 PM +0100 Chris Kronberg 
<smil at ...1754...> wrote:
>> "%20rm%20" instead of "rm%20".  Wouldn't you need a space on either side
>> for  the command to be parsed/understood?
>    "%20rm%20" will not catch attempts ala
> "somescript.cgi?rm%20/etc/passwd"
>    or "somescript.cgi?bla=blub;rm%20/tmp/laber".
>    I had seen attempts like that in the past (although the script in
>    question was not vulnerable). Some attackers used "rm", others used
>    "/bin/rm". A more recent example may be
>    "awstats.pl?configdir=|rm%20/path/to/file|"
>    The only thing you know for sure is the space after the "rm".
>    If you are sure to catch all possible combinations a pcre rule
>    should reduce the fps significantly (I'll try to write a rule
>    after a night of sleep; can't think straight right now).
How about this:

For 1365 - pcre:"[\/\s;\?\|]?rm\s";
For 1344 - pcre:"[\/\s;\?\|]?cc\s";

Or simply this:
For 1365 - pcre:"\W?rm\s";
For 1344 - pcre:"\W?cc\s";

Or this:
For 1365 - pcre:"[\W\d]?rm\s";
For 1344 - pcre:"[\W\d]?cc\s";

Surely the character preceding rm or cc would have to be non-alpha at 
least, if not non-alphanumeric?  I don't know which of the above would be 
most efficient, but ISTM one of them would be an improvement and still 
catch all hacking attempts while reducing/eliminating the fps.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list