[Snort-users] My first rule on the way :)

Jan-Frode Myklebust janfrode at ...105...
Tue Jul 25 08:09:38 EDT 2000


On Tue, Jul 25, 2000 at 03:53:50AM -0700, Dan Hollis wrote:
> On Tue, 25 Jul 2000, Jan-Frode Myklebust wrote:
> > The signature of it is something like:
> > "GET /cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/command"
> > but the arguments to the cgi-script might come in a different order, so what
> > I would like to catch is packets with
> > "GET /cgi-bin/infosrch.cgi?" and then "fname=|".
> > Is that possible without writing one rule for every combination of the
> > argument line, or should I just match on "fname=|" within depth=X?
> 
> Snort should probably have a feature added to allow chaining rules
> together. This would allow to do what you want. This would also allow for
> arbitrarily complex rules, and if properly used could probably cut down on
> the number of false positives.
> 

OK, I see that there are several simillar rules that are based on single
keywords like "php.cgi?/", "/handler" etc. 

I just submitted this rule to the arachNIDS:

alert tcp any any -> $HOME_NET 80 (msg: "SGI-InfoSearch-fname-attack";
content: "fname=|"; flags: AP; offset: 26;)

   
   -jf




More information about the Snort-users mailing list