[Snort-users] Why content and not uricontent?
holger at ...13256...
Tue Apr 12 14:45:16 EDT 2005
I am writing a bachelor thesis about NID in general and Snort in special.
Therefore I played around with snort and http evasion. For testing purposes I
used the phf attack, which is triggered by snort with this rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
arbitrary command execution attempt"; flow:to_server,established;
uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a";
reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067;
classtype:web-application-attack; sid:1762; rev:5;)
When using the following string, snort didn't notice the attack:
I just did an hex encoding of the letter "a" in "Qalias". I solved this,
with using uricontent="QALIAS" in the original rule.
Now I am curios. Can someone explain me, if there are any reasons for using
content over uricontent?
P.S.: Yes, I know that there is another rule, which will detect my string.
However this rule alerts every (normal) use of phf. And I also know, that the
phf exploit is rather old. Like I said, I am just curios.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: Digital signature
More information about the Snort-users