[Snort-users] Why content and not uricontent?

Holger Mense holger at ...13256...
Tue Apr 12 14:45:16 EDT 2005


Hi,

I am writing a bachelor thesis about NID in general and Snort in special. 
Therefore I played around with snort and http evasion. For testing purposes I
used the phf attack, which is triggered by snort with this rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
arbitrary command execution attempt"; flow:to_server,established;
uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a";
reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067;
classtype:web-application-attack; sid:1762; rev:5;)


When using the following string, snort didn't notice the attack:

/cgi/bin/phf?Q%61lias=x%0a/bin/cat%20/etc/passwd


I just did an hex encoding of the letter "a" in "Qalias". I solved this, 
with using uricontent="QALIAS" in the original rule.

Now I am curios. Can someone explain me, if there are any reasons for using 
content over uricontent?

Thanks, Holger


P.S.: Yes, I know that there is another rule, which will detect my string. 
However this rule alerts every (normal) use of phf. And I also know, that the
phf exploit is rather old. Like I said, I am just curios.

-- 
Holger Mense
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050412/2f34eff1/attachment.sig>


More information about the Snort-users mailing list