[Snort-users] [hoglund at ...1182...: Re: [HailstormUsers] Re: detecting successful attack from remote]
fygrave at ...121...
Sat Jan 20 05:14:19 EST 2001
something that might be of some interest for users here :)
----- Forwarded message from Greg Hoglund <hoglund at ...1182...> -----
From: "Greg Hoglund" <hoglund at ...1182...>
Date: Fri, 19 Jan 2001 15:51:56 -0800
To: <HailstormUsers at ...1183...>
Subject: Re: [HailstormUsers] Re: detecting successful attack from remote
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
Reply-To: HailstormUsers at ...1183...
> Have you tried this trick against any of the commercial IDS products?
> If so, what were the results??
I haven't run embedded commands past IDS systems. I know some of them have
string searches for things like '../../' and '/etc/passwd'. However, I
don't know if they would catch something like the ping trick. It seems
reasonable that they could detect meta-characters in context, but I don't
know if any support that feature right now.
A little browsing in the snort rules database shows some filters like:
In the particular attack I was running, I had to add the double-quotes in
order to fool the target cgi program:
So maybe a snort rule for '?"' would have caught this.
Attempting to write a rule for 'ping' directly would be kind-of foolish, in
my opinion, since embedded commands can be almost anything. Yet, the use of
the %20 (space character) directly after the argument might be suspect.
Many cgi programs follow a given rule arg=value&arg=value. This would be
completely specific to the deployment your trying to protect, of course.
I didn't see any way to specify what was _good_ behavior in snort, and then
trigger on things to _dont_ match. ie., something like,
content:"%20"; bad_if_not_content:"\[A-Za-z]%20" ... (or whatever)
You could write a regex in Hailstorm to match something like that, but since
Hailstorm uses an embedded perl engine for the regex matching, it would not
be fast enough to be used in a _real_ IDS situation. It's better just for
To unsubscribe from this group, send an email to:
HailstormUsers-unsubscribe at ...1183...
----- End forwarded message -----
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
More information about the Snort-users