[Snort-users] ftp glob rule

Brian Caswell bmc at ...312...
Sat Apr 21 10:06:57 EDT 2001


Max Vision wrote:
> 
> Hi,
> 
> I published IDS487 on March 16 to detect this,
> http://whitehats.com/info/IDS487
> 
> My rule catches all variations of the attack and should not false positive
> or false negative.
> 
> Question: you have multiple content rules that are the same string, does
> snort really discern that these are separate strings to be detected, or
> will each one consider the entire payload (therefor meaning that the
> second two are redundant)?  My rule watches for "|2f2a|".

The reason I use multiple seperate |2f| |2a| is that all of those can be
easily bypassed.  

using LIST *?/?*?/?*?/?*?/?*?/*?*/ or STAT A*/../A*/../A*/ work.

The second version is from the freebsd exploit from venglin.  searching
for /* doesn't catch either of those two examples.  I tried |2f2a| and I
see that false positive quite a bit.  If we really wanted to get nitty
gritty, if you build a directory structure before hand, you could really
screw with someones head.  For example, STAT A?B/../C*D/../D*F/../  From
playing around with the venglin exploit for a while last night, I found
you must use / and you must use * to cause issues.  Using the regex ?
does not seem to have the affect. 

I just false negatived on my rule.  HRPMF.  Marty, you need to fix your
implementation regex:"";  Now would be a great time for
regex:"|2a|*|2f|*|2a|*|2f|";

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list