[Snort-sigs] Snort-sigs Digest, Vol 106, Issue 20

John York YorkJ at ...855...
Mon Mar 16 12:35:37 EDT 2015


Message: 1
Date: Mon, 16 Mar 2015 14:07:03 +0000
From: "Weir, Jason" <jason.weir at ...3410...>
Subject: [Snort-sigs] FP on 31977?
To: "'snort-sigs at lists.sourceforge.net'"
	<snort-sigs at lists.sourceforge.net>
Message-ID:
	<1F90BD115BC8E9418EB95499E371CF2707E3A039 at ...4025...>
Content-Type: text/plain; charset="us-ascii"

Getting hits on 31977 via the GET below - I believe they are false.

GET /services/obituaries.ashx?IncludeSidebar=0&Name=Debra Jones Obituary&String=r. Memorial Home, Franklin-Tilton Road, 584 West Main St., in Tilton. Deb's family requests that those wishing, may make contributions in her name to ;(function() { var adKeyValue = 't='; adKeyValue                += escape('clio=MAW'); adKeyValue += escape('&cobrand=concordmonitor'); adKeyValue += escape('&linktext=The Make-A-Wish Foundation'); adKeyValue += escape('&linkurl=http://ad.doubleclick.net/ddm/clk/286988598%3B113956851%3Bl'); adKeyValue += escape('&fn=Debra'); adKeyValue += escape('&ln=Jones'); var adClkUrl = 'http://pubads.g.doubleclick.net/gampad/jump?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&' + adKeyValue + '&sz=1x1&c=537810296'; var adImpUrl = 'http://pubads.g.doubleclick.net/gampad/ad?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&' + adKeyValue + '&sz=1x1&c=537810296'; document.write(" The Make-A-Wish Foundation "); }()); The Make-A-Wish Foundation of New Hampshire, 814 Elm St., Suite 300, Manchester, NH 03101. For more information go to smartfuneralhome.com.&location=http://www.legacy.com/obituaries/concordmonitor/obituary.aspx?n=debra-ann-jones-ross&pid=174389739&fhid=13973&randomlabel=ga38770210180839515&published=Sat Mar 14 2015 00:00:00 GMT-0400 (Eastern Daylight Time) HTTP/1.1

Looks like the function() { is what is triggering the rule.

Current rule

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:4;)

Will adding content:!" function() " break things?

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:!" function() "; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5;)

Jason


I had lots of FPs on this rule when I had problems with my $HOME_NET variable (was effectively ANY).  There are lots of screwy web apps that trigger the rule.  There were several different versions of screwy web app, so it would be hard to fix the rule for all of them.  When I set my variables so the rule only checked incoming traffic to my servers and ignored outgoing browsing, the FPs went away.
Thanks
John




More information about the Snort-sigs mailing list