[Snort-users] WEB-ATTACKS mail command attempt

Ricardo Pires pires-ricardo at ...1836...
Thu Sep 4 14:19:05 EDT 2003


Hello all,

I was wondering about the "WEB-ATTACKS mail command attempt " rule.
I think we could prevent false positives in this case. The rule search for
the mail string followed by a space.
But as I could understand, this attack will only work if the attacker put
the entire path of the mail bin.

So, we might use the rule like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS
mail command attempt"; flow:to_server,established;
content:"/bin/mail%20";nocase; sid:1367; classtype:web-application-attack;
rev:4;)

instead if this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS
mail command attempt"; flow:to_server,established; content:"mail%20";nocase;
sid:1367; classtype:web-application-attack; rev:4;)

I was looking at the log files and I'm having this false positives. The
packet is pointing to somewhere in the web page that says something like
"send mail to..."
Do you think puting the whole path could prevent this false positive ?

Thanks
Ricardo Pires





More information about the Snort-users mailing list