[Snort-sigs] Sig 1147

Jason Brvenik jason.brvenik at ...435...
Fri May 26 05:04:36 EDT 2006


BassPlayer wrote:
> Sorry my mod_security killed my message. Resending....
> My point exactly but instead of not using the rule, which seems to be the
> default response when I ask a bout a rule, why not make it better so it
> traps only on the actual exploit.

The exploit referenced is but one of a class of command injections. It
really serves to provide information that someone is poking around
playing with command injection. Hopefully it gives you a chance to
respond before they find a real command injection.

> With my modded guardian script I can ignore idividual sids but then I
> still see the alerts in my BASE console and they still take up log and DB
> space.

Any updates made to the rule would eliminate many other potential
exploitation vectors. This is not the only cgi to have ever been
vulnerable nor is maintaining a list of every cgi a practical thing to
do. The %20 is even a compromise as some scripts are invoked by shells
that still allow the use of IFS in insecure ways. Other scripts will
replace specific chars with a space in a misguided attempt to make them
safe so the exploit string becomes something like ;cat#/path/to/file

The rule is about as close as you can get to actual detection of the
class of vulnerabilities in a generic sense without being overly loose
in it's application. For these classes of vulnerabilities there is
little that can be done to ensure perfect coverage short of writing a
rule for every exploit opportunity. There are other rules that are very
similar in applicability such as ones that look for id, rm... but you
would have to look for every potential command that can be executed in
every potential way to detect the class of vulnerabilities all the time
every time.

If you are confident that every cgi on your server is free of command
injection then turn it off. If you are not then leave it on and use pass
rules to handle _your_ _known_ false positive cases. Under rare
circumstance would it ever make sense to automatically block on a rule
such as this. Regardless of what you do any change to the rule will have
an affect on it's effectiveness in one direction or the other favoring
false positives or negatives.

> I guess I should of been more concise and asked if there was a way to get
> the rule updated. What is the process for doing that?

There are several ways to ask for a change. One such way is exactly what
you have done, open a discussion on list. We monitor the lists and are
always looking for feedback and suggestions and it is great to see new
people getting involved and asking questions; often with great
suggestions resulting from the discussion.

Other ways to ask for a change are:

- Send an email to snort-team at ...435...
- Submit a new rule as a suggested replacement to the appropriate rules
category @ http://www.snort.org/reg-bin/rulesubmit.cgi
- Catch us on freenode in #snort

> 
> It would also be helpful if someone could tell me if the rule syntax would
> acutally work.
> 
> Thanks
> BP
> 
> 
> BassPlayer wrote:
> 
>>Jamie Riden wrote:
>>
>>>Hi BP,
>>>
>>>There are lots of other circumstances in which you don't want a 'cat'
>>>command, e.g. with the awstats exploit, people will use cat/echo/id to
>>>test if a script is vulnerable. Something like this:
>>>
>>>GET
>>>/cgi-bin/?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%3a%etc%3apasswd%20e_exp%3b%2500
>>>HTTP/1.1"
>>>
>>>However, the cat%20 rule does tend to generate a lot of false
>>>positives - for example at the vet department of the university I used
>>>to work at :) I wouldn't recommend blocking using it.
>>>
>>>cheers,
>>> Jamie
>>>
>>>On 26/04/06, BassPlayer <bassplayer at ...549...> wrote:
>>>
>>>>After checking the actual exploit here
>>>>
>>>>http://www.securityfocus.com/bid/374/exploit
>>>>
>>>>Wouln't it be better to do
>>>>
>>>>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
>>>>cat%20 access"; flow:to_server,established;
>>>>(pcre:"/webdist.cgi.+cat%20/i";)  nocase; reference:bugtraq,374;
>>>>reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
>>>>
>>>>Please excuse my n00bness in rules writing.
>>>>
>>>>BP
>>>>
>>>>BassPlayer wrote:
>>>>
>>>>>Hi,
>>>>>Can this rule be tightened up a bit?
>>>>>
>>>>>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>>>>
>>>>(msg:"WEB-MISC
>>>>
>>>>>cat%20 access"; flow:to_server,established; content:"cat%20"; nocase;
>>>>>reference:bugtraq,374; reference:cve,1999-0039;
>>>>
>>>>classtype:attempted-recon;
>>>>
>>>>>sid:1147; rev:7;)
>>>>>
>>>>>It's triggering on the following request which is my wife streaming
>>>>
>>>>music.
>>>>
>>>>>She wasn't too happy when my modified guardian script autoblocked her
>>>>
>>>>:D.
>>>>
>>>>>BP
>>>>>
>>>>>Generated by BASE v1.2.2 (cindy) on Tue, 25 Apr 2006 15:18:24 -0700
>>>>>
>>>>>------------------------------------------------------------------------------
>>>>>#(1 - 113755) [2006-04-25 07:35:06] [cve/1999-0039] [icat/1999-0039]
>>>>>[bugtraq/374]
>>>>>[local/1147] [snort/1147]  WEB-MISC cat%20 access
>>>>>IPv4: 143.183.121.1 -> 209.237.15.226
>>>>>      hlen=5 TOS=0 dlen=517 ID=43136 flags=0 offset=0 TTL=47
>>>>
>>>>chksum=46826
>>>>
>>>>>TCP:  port=56372 -> dport: 80  flags=***AP*** seq=2968053703
>>>>>      ack=1992497194 off=8 res=0 win=5840 urp=0 chksum=57923
>>>>>      Options:
>>>>>       #1 - NOP len=0
>>>>>       #2 - NOP len=0
>>>>>       #3 - TS len=8 data=A0754FBD005A583E
>>>>>Payload: GET
>>>>>/private_music_archive/play/index.php?song=2538&uid=usersid=sid&ds=32&name=/The%20Pussycat%20Dolls%20-%20Bite%20the%20Dust.mp3
>>>>>HTTP/1.0
>>>>>
>>>>>Accept: */*
>>>>>
>>>>>User-Agent: Windows-Media-Player/10.00.00.3990
>>>>>
>>>>>Host: www.angmar.com
>>>>>
>>>>>Cookie: amp_longsess=1; POSTNUKESID=mumble
>>>>>
>>>>>Via: 1.0 scfwpr01.sc.intel.com:911 (squid/2.5.STABLE12)
>>>>>
>>>>>X-Forwarded-For: unknown
>>>>>
>>>>>Cache-Control: max-age=259200
>>>>>
>>>>>Connection: keep-alive
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>-------------------------------------------------------
>>>>>Using Tomcat but need to do more? Need to support web services,
>>>>
>>>>security?
>>>>
>>>>>Get stuff done quickly with pre-integrated technology to make your
>>>>
>>>>job
>>>>
>>>>>easier
>>>>>Download IBM WebSphere Application Server v.1.0.1 based on Apache
>>>>
>>>>Geronimo
>>>>
>>>>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>>>>_______________________________________________
>>>>>Snort-sigs mailing list
>>>>>Snort-sigs at lists.sourceforge.net
>>>>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>
>>>>>
>>>
>>>--
>>>Jamie Riden / jamesr at ...3216... / jamie.riden at ...3217...
>>>"Microsoft: Bringing the world to your desktop - and your desktop to
>>> the world." -- Peter Gutmann
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>>-------------------------------------------------------
>>Using Tomcat but need to do more? Need to support web services, security?
>>Get stuff done quickly with pre-integrated technology to make your job
>>easier
>>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>!DSPAM:444edc89215666362979185!
>>
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
Jason Brvenik - Sourcefire
PGP: 89C6 DE77 3B32 FC03 A5AE B5DD 11DF 4C8B 0D8E 3383
Key: http://cerberus.sourcefire.com/~jbrvenik/jason.brvenik.pgp.key




More information about the Snort-sigs mailing list