[Snort-sigs] Improve to BACKDOOR c99shell.php command request

Guise McAllaster guise.mcallaster at ...2420...
Thu Jan 21 11:17:33 EST 2010


Hello. Can I make more suggestion about rules?



This one, SID 12077, has good intentions and I like it but is not
skillfully crafted.  Here it is now in backdoor.rules:



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BACKDOOR
c99shell.php command request"; flow:established,to_server;
content:"act=";
pcre:"/act=(cmd|search|upload|about|encoder|bind|ps_aux|ftpquickbrute|security|sql|eval|feedback|selfremove|fsbuff|ls|phpinfo)/smi";
reference:url,vil.nai.com/vil/content/v_136948.htm;
classtype:policy-violation; sid:12077; rev:2;)



What if we change it to look in URI buffer (I see false positive now
b/c of Referer header) and make changes so things such as
'react=about' don't alert this?



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BACKDOOR
c99shell.php command request"; flow:established,to_server;
uricontent:"act="; nocase;
pcre:"/[&\?]act=(cmd|search|upload|about|encoder|bind|ps_aux|ftpquickbrute|security|sql|eval|feedback|selfremove|fsbuff|ls|phpinfo)/Ui";
reference:url,vil.nai.com/vil/content/v_136948.htm;
classtype:policy-violation; sid:12077; rev:3;)



The more I look at the Snort rules supplied by SourceFire, the more I
see a lot of room to improve performance and reduce false positives.
(Please don't flame me, I'm just stating truth, not trying to be
mean.)  Perhaps VRT will hire someone to just go over the existing
rules and make them better?  If you let me work from France, I might
be willing to fill such a position....



Guise




More information about the Snort-sigs mailing list