[Snort-users] WEB-ATTACKS mail command attempt

Erek Adams erek at ...950...
Thu Sep 4 22:05:05 EDT 2003


On Thu, 4 Sep 2003, Ricardo Pires wrote:

[...snip...]

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS
> mail command attempt"; flow:to_server,established;
> content:"/bin/mail%20";nocase; sid:1367; classtype:web-application-attack;
> rev:4;)
>
> instead if this:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS
> mail command attempt"; flow:to_server,established; content:"mail%20";nocase;
> sid:1367; classtype:web-application-attack; rev:4;)
>
> I was looking at the log files and I'm having this false positives. The
> packet is pointing to somewhere in the web page that says something like
> "send mail to..."
> Do you think puting the whole path could prevent this false positive ?

What if the attacker used a relative path?  "../../../../../usr/bin/mail "
Or "./mail "?  Or if it was just along the path "mail "?

There's a good and bad side to everything.  :)  You might want to consider
adding an exculude for the servers that are causing the falsies.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list