[Snort-sigs] False positive - sid 1365

Ofer Shezaf ofer at ...2970...
Tue Mar 22 06:19:55 EST 2005


The problem is that rm is one of a very long list of commands, and that pcre
is very expensive performance wise. 

Even prefixing with a "uricontent" operator does not help much as two letter
words tend to crop up a lot (and it probably should be "content" and not
"uricontent" as rm could very well injected in a parameter value).

So? 
Write code better; Configure the server better; use application layer
security tools; but don't try to catch application layer issues such as
command or SQL injection with Snort.

~ Ofer

Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers at ...2971...
http://www.breach.com 


> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net [mailto:snort-sigs-
> admin at lists.sourceforge.net] On Behalf Of Mike Pomraning
> Sent: Saturday, March 19, 2005 1:40 AM
> To: Paul Schmehl
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] False positive - sid 1365
> 
> On Fri, 18 Mar 2005, Paul Schmehl wrote:
> 
> > --On Friday, March 18, 2005 08:23:14 PM +0100 Chris Kronberg
> <smil at ...1754...>
> > wrote:
> > >
> > > The only thing you know for sure is the space after the "rm".
> >
> [...]
> >
> > How about this:
> >
> > For 1365 - pcre:"[\/\s;\?\|]?rm\s";
> > For 1344 - pcre:"[\/\s;\?\|]?cc\s";
> [...]
> 
> How about:
> 
>    uricontent: "rm "; pcre: "/\brm /U";
> 
> and similar for "cc"?
> 
> '\b' (word boundary) ensures that "rm" can't be the end of a token (as in
> "GET /Form%20Download/"), and the 'uricontent' should keep the rule
> reasonably fast, in addition to handling multiple space encoding schemes.
> 
> If you're worried about more sophisticated injections that don't use a
> space
> character (e.g., "rm${_bleh- }..." or "rm$IFS..."), you could drop the
> space
> altogether:
> 
>    uricontent: "rm"; pcre: "/\brm\b/U";
> 
> Regards,
> Mike
> --
> Michael J. Pomraning, CISSP
> Project Manager, Infrastructure
> SecurePipe, Inc. - Managed Internet Security
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list