[Snort-sigs] False positive - sid 1365

Jason security at ...704...
Sat Mar 19 12:27:56 EST 2005


ahh, the lost arts... I would not even want the %20 in there.

Chris Kronberg wrote:
> On Fri, 18 Mar 2005, Paul Schmehl wrote:
> 
>>
>> /usr/local/share/snort/web-attacks.rules:alert tcp $EXTERNAL_NET any 
>> -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; 
>> flow:to_server,established; content:"rm%20"; nocase; 
>> classtype:web-application-attack; sid:1365; rev:5;)
>>
>> We get a ton of fps on this signature.  I'm wondering why the content 
>> isn't
> 
> 
>   So do I, yet...
> 
>> "%20rm%20" instead of "rm%20".  Wouldn't you need a space on either 
>> side for the command to be parsed/understood?
> 
> 
>   "%20rm%20" will not catch attempts ala "somescript.cgi?rm%20/etc/passwd"
>   or "somescript.cgi?bla=blub;rm%20/tmp/laber".
>   I had seen attempts like that in the past (although the script in
>   question was not vulnerable). Some attackers used "rm", others used
>   "/bin/rm". A more recent example may be
>   "awstats.pl?configdir=|rm%20/path/to/file|"
> 
>   The only thing you know for sure is the space after the "rm".

unless you are able to set IFS

an example might be

GET /path/to/awstats.pl?configdir=%7cIFS=%3a%3brm%3a/path/to/file%7c

>   If you are sure to catch all possible combinations a pcre rule
>   should reduce the fps significantly (I'll try to write a rule
>   after a night of sleep; can't think straight right now).
> 





More information about the Snort-sigs mailing list