--- Matthew Watchinski <mwatchinski@sourcefire.com>
wrote:
What revision of this rule are you using?
I'm using rev:7. And yes this revision matches the
contents that I send initially, i.e. fires up with
false positives. See below why.
The current revision is 7. This latest revision
doesn't look like it
will match the contents you outline below.
web-misc.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC weblogic/tomcat .jsp view source
attempt";
flow:to_server,established; uricontent:".jsp";
nocase;
pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi";
reference:bugtraq,2527;
classtype:web-application-attack; sid:1054; rev:7;)
Here is how it works.
uricontent inspects the normalized URI buffer, so
things like %70 or %2e
are converted to normal character representations so
%70 becomes "p",
%2e becomes ".", etc...
so uricontent:".jsp" will match ".js%70" or "%2ejsp"
or ".jsp", etc...
while the pcre looks for a negative match on ".jsp"
on the un-normalized
data. ie the .js%70 or %2ejsp
If both conditions are true, uricontent contains
".jsp" and pcre doesn't
contain ".jsp", something is encoded and the rule
fires.
Cheers,
-matt
Here is what happens:
a) the GET and Referer: lines below match uricontent:
.jsp
b) the other lines match the negated regexp pcre:!...
and nothing in there (the example content I send) is a
%
c)the rule fires up with false positives!
because of a) + b) then c) happens
The rule should look explicitly for a %;
instead of assuming that if the pcre is true
then a % is present, it is this assumption that is
false,
and the reason for the false positives.
Regards,
-- Victor
Victor Meghesan wrote:
Rule: WEB-MISC weblogic/tomcat .jsp view source
attempt
--
Sid: 1054
--
Summary: The rule fires up with false positives
--
Impact: Cry wolf in vain.
--
Detailed Information: It doesn't check if a % is
present in the request.
--
Affected Systems:
--
Attack Scenarios:
--
Ease of Attack:
--
False Positives:
Something like this matches the (actual) rule
content
search:
GET /l/o.jsp HTTP/1.0
Host: xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT
5.0;
en-US; rv:1.4) Gecko/200306
24
Accept:
application/x-shockwave-flash,text/xml,application/xml,application/xhtml
+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif
;q=0.2,*/*;q=0.1
Accept-Language: ro,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: UTF-8,*
Keep-Alive: 300
Referer: http://xxx.xxx.xxx/l/l.jsp
Cookie: JSESSIONID=xxxftr3hkVd-33
Via: 1.1 yyy.yyy.yyy:8000 (squid/2.5.STABLE4)
X-Forwarded-For: unknown
Cache-Control: max-age=259200
Connection: keep-alive
--
False Negatives:
--
Corrective Action:
--
Contributors:
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
