[Snort-sigs] Sig 1147

Jamie Riden jamesr at ...3216...
Fri May 26 05:04:03 EDT 2006


Hi BP,

There are lots of other circumstances in which you don't want a 'cat'
command, e.g. with the awstats exploit, people will use cat/echo/id to
test if a script is vulnerable. Something like this:

GET /cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%3a%etc%3apasswd%20e_exp%3b%2500
HTTP/1.1"

However, the cat%20 rule does tend to generate a lot of false
positives - for example at the vet department of the university I used
to work at :) I wouldn't recommend blocking using it.

cheers,
 Jamie

On 26/04/06, BassPlayer <bassplayer at ...549...> wrote:
> After checking the actual exploit here
>
> http://www.securityfocus.com/bid/374/exploit
>
> Wouln't it be better to do
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> cat%20 access"; flow:to_server,established;
> (pcre:"/webdist.cgi.+cat%20/i";)  nocase; reference:bugtraq,374;
> reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
>
> Please excuse my n00bness in rules writing.
>
> BP
>
> BassPlayer wrote:
> > Hi,
> > Can this rule be tightened up a bit?
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> > cat%20 access"; flow:to_server,established; content:"cat%20"; nocase;
> > reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon;
> > sid:1147; rev:7;)
> >
> > It's triggering on the following request which is my wife streaming music.
> > She wasn't too happy when my modified guardian script autoblocked her :D.
> > BP
> >
> > Generated by BASE v1.2.2 (cindy) on Tue, 25 Apr 2006 15:18:24 -0700
> >
> > ------------------------------------------------------------------------------
> > #(1 - 113755) [2006-04-25 07:35:06] [cve/1999-0039] [icat/1999-0039]
> > [bugtraq/374]
> > [local/1147] [snort/1147]  WEB-MISC cat%20 access
> > IPv4: 143.183.121.1 -> 209.237.15.226
> >       hlen=5 TOS=0 dlen=517 ID=43136 flags=0 offset=0 TTL=47 chksum=46826
> > TCP:  port=56372 -> dport: 80  flags=***AP*** seq=2968053703
> >       ack=1992497194 off=8 res=0 win=5840 urp=0 chksum=57923
> >       Options:
> >        #1 - NOP len=0
> >        #2 - NOP len=0
> >        #3 - TS len=8 data=A0754FBD005A583E
> > Payload: GET
> > /private_music_archive/play/index.php?song=2538&uid=usersid=sid&ds=32&name=/The%20Pussycat%20Dolls%20-%20Bite%20the%20Dust.mp3
> > HTTP/1.0
> >
> > Accept: */*
> >
> > User-Agent: Windows-Media-Player/10.00.00.3990
> >
> > Host: www.angmar.com
> >
> > Cookie: amp_longsess=1; POSTNUKESID=mumble
> >
> > Via: 1.0 scfwpr01.sc.intel.com:911 (squid/2.5.STABLE12)
> >
> > X-Forwarded-For: unknown
> >
> > Cache-Control: max-age=259200
> >
> > Connection: keep-alive
> >
> >
> >
> >
> > -------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services, security?
> > Get stuff done quickly with pre-integrated technology to make your job
> > easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > !DSPAM:444ea480209472067138524!

--
Jamie Riden / jamesr at ...3216... / jamie.riden at ...3217...
"Microsoft: Bringing the world to your desktop - and your desktop to
 the world." -- Peter Gutmann




More information about the Snort-sigs mailing list