[Snort-users] Stupid rule question

Fyodor fygrave at ...121...
Mon Mar 26 15:22:52 EST 2001


On Mon, Mar 26, 2001 at 11:50:24AM -0700, Ryan Russell wrote:
> So, I'm looking at some of the rules on the snort.org site, and there are
> several like this under the WEB-MISC category:
> 
> alert tcp $EXTERNAL_NET 80 -> $HTTP_SERVERS any (msg:"WEB-MISC telnet
> attempt";flags: A+; content:"telnet.exe"; nocase;)
> 
> My question has to do with the port numbers.  If I'm reading this right,
> the rule is looking for packets from outside, from TCP port 80, to your
> web servers, on any port.  By my thinking, this implies your web servers
> acting as web clients to outside machines.  And, it's looking for
> telnet.exe in the content, implying that your web server has downloaded a
> page with that in it.  I'm not even sure what exploit this would be for...
> any client-side holes I would expect to use telnet:// instead.
> 
> If the any and 80 were reversed, it would make sense to me... it would be
> watching for an attempt to call telnet.exe on your web server.
> 
> What am I misunderstanding?


Unless the port number is misplaced (i.g. the right way to have this rule would
be 'alert tcp $EXTERNAL any -> $HTTP_SERVERS 80 (..)' the purpose of this rule
is not clear to me either. IMHO there are possibilities that someone from outside
may want to exec reverse telnet on your webserver and pipe something to it, but... 

Hmm.. a few things which I could think of are:

* your firewall  is missconfigured and allows port 80 connections to both
directions you may want to see if anyone from outside will use port 80 as
source and attempt to connect to your webserver (why only webserver then?:))
and launch reverse telnet or something.. still kinda dodgy model, cuz you
probably would want to fix your firewall first in this case. :)

* someone will use your http server to bounce requests to some other server where
he would be able to exec telnet.exe (and the binary name will be in HTTP headers),
and you want to see it as well, but it sounds kinda far-fetched to me, I don't remember
any real-world vulnerabilities matching this pattern. :)


if it helps.. :)





More information about the Snort-users mailing list