[Snort-sigs] False positive - sid 1365
security at ...704...
Sat Mar 19 12:27:56 EST 2005
ahh, the lost arts... I would not even want the %20 in there.
Chris Kronberg wrote:
> On Fri, 18 Mar 2005, Paul Schmehl wrote:
>> /usr/local/share/snort/web-attacks.rules:alert tcp $EXTERNAL_NET any
>> -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt";
>> flow:to_server,established; content:"rm%20"; nocase;
>> classtype:web-application-attack; sid:1365; rev:5;)
>> We get a ton of fps on this signature. I'm wondering why the content
> So do I, yet...
>> "%20rm%20" instead of "rm%20". Wouldn't you need a space on either
>> side for the command to be parsed/understood?
> "%20rm%20" will not catch attempts ala "somescript.cgi?rm%20/etc/passwd"
> or "somescript.cgi?bla=blub;rm%20/tmp/laber".
> I had seen attempts like that in the past (although the script in
> question was not vulnerable). Some attackers used "rm", others used
> "/bin/rm". A more recent example may be
> The only thing you know for sure is the space after the "rm".
unless you are able to set IFS
an example might be
> If you are sure to catch all possible combinations a pcre rule
> should reduce the fps significantly (I'll try to write a rule
> after a night of sleep; can't think straight right now).
More information about the Snort-sigs