[Snort-users] My first rule on the way :)

Jan-Frode Myklebust janfrode at ...105...
Tue Jul 25 05:53:28 EDT 2000


Hi, 

after seeing that Max Vision is doing a survey on why so few users have
submitted signatures for the arachNIDS database, I started looking into
writing one for the recent sgi InfoSearch fname Vulnerability
<http://securityfocus.com/vdb/bottom.html?vid=1031> /
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0207>.

The signature of it is something like:

"GET /cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/command"

but the arguments to the cgi-script might come in a different order, so what
I would like to catch is packets with

"GET /cgi-bin/infosrch.cgi?" and then "fname=|".

Is that possible without writing one rule for every combination of the
argument line, or should I just match on "fname=|" within depth=X?

I was thinking of maybe adding a rule to catch all '=|' from the cgiscripts,
that would proably catch a few other cgi-exploits as well (old or new).


  -jf




More information about the Snort-users mailing list