[Snort-users] [hoglund at ...1182...: Re: [HailstormUsers] Re: detecting successful attack from remote]

Fyodor fygrave at ...121...
Sat Jan 20 05:14:19 EST 2001


something that might be of some interest for users here :)

----- Forwarded message from Greg Hoglund <hoglund at ...1182...> -----

From: "Greg Hoglund" <hoglund at ...1182...>
Date: Fri, 19 Jan 2001 15:51:56 -0800
To: <HailstormUsers at ...1183...>
Subject: Re: [HailstormUsers] Re: detecting successful attack from remote
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
Reply-To: HailstormUsers at ...1183...


Mark,

> Have you tried this trick against any of the commercial IDS products?
> If so, what were the results??
>

I haven't run embedded commands past IDS systems.  I know some of them have
string searches for things like '../../' and '/etc/passwd'.  However, I
don't know if they would catch something like the ping trick.  It seems
reasonable that they could detect meta-characters in context, but I don't
know if any support that feature right now.

A little browsing in the snort rules database shows some filters like:

content:"get //";
content:".html/......";
content: "../";
content: "..\\";
content:"ls%20-l";
content:"cat%20";
content:"etc/passwd";
content:"///cgi-bin";
content:"cgi-bin///";

In the particular attack I was running, I had to add the double-quotes in
order to fool the target cgi program:

http://<target>/scripts/target_dsi.exe?"hello2&ping%2010.0.0.19"


So maybe a snort rule for '?"' would have caught this.

Attempting to write a rule for 'ping' directly would be kind-of foolish, in
my opinion, since embedded commands can be almost anything.  Yet, the use of
the %20 (space character) directly after the argument might be suspect.
Many cgi programs follow a given rule arg=value&arg=value.  This would be
completely specific to the deployment your trying to protect, of course.

I didn't see any way to specify what was _good_ behavior in snort, and then
trigger on things to _dont_ match.  ie., something like,

content:"%20"; bad_if_not_content:"\[A-Za-z]%20" ... (or whatever)

You could write a regex in Hailstorm to match something like that, but since
Hailstorm uses an embedded perl engine for the regex matching, it would not
be fast enough to be used in a _real_ IDS situation.  It's better just for
testing.

-Greg




To unsubscribe from this group, send an email to:
HailstormUsers-unsubscribe at ...1183...




----- End forwarded message -----

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list