[Snort-sigs] False positive - sid 1365

Mike Pomraning mjp-snortsigs at ...1399...
Fri Mar 18 15:40:15 EST 2005


On Fri, 18 Mar 2005, Paul Schmehl wrote:

> --On Friday, March 18, 2005 08:23:14 PM +0100 Chris Kronberg <smil at ...1754...>
> wrote:
> > 
> > The only thing you know for sure is the space after the "rm".
> 
[...]
> 
> How about this:
> 
> For 1365 - pcre:"[\/\s;\?\|]?rm\s";
> For 1344 - pcre:"[\/\s;\?\|]?cc\s";
[...]

How about:

   uricontent: "rm "; pcre: "/\brm /U";

and similar for "cc"?

'\b' (word boundary) ensures that "rm" can't be the end of a token (as in
"GET /Form%20Download/"), and the 'uricontent' should keep the rule
reasonably fast, in addition to handling multiple space encoding schemes.

If you're worried about more sophisticated injections that don't use a space
character (e.g., "rm${_bleh- }..." or "rm$IFS..."), you could drop the space
altogether:

   uricontent: "rm"; pcre: "/\brm\b/U";

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security




More information about the Snort-sigs mailing list