Network Security: Detailed info on RE: [Snort-sigs] SID:2229

Subject:	RE: [Snort-sigs] SID:2229 - False positives
Date:	Thu, 10 Feb 2005 01:36:09 +0200


Paul Schmehl wrote on February 09, 2005

Subject: [Snort-sigs] SID:2229 - False positives

Summary       This event is generated when an attempt is made to exploit a
known
vulnerability in the PHP application phpBB.

Well, no.  Actually this event is generated any time someone viewing a
phpBB accesses a topic thread.  At a minimum, there should be a second
content check with *something* that involves the exploit code.


Snort has many rules that alert on access as opposed to attack for many
different vulnerable applications. The idea is probably to alert you as a
security person that such a system is installed on your network, and once
you know that you have such a system and it is patched remove the rule.

You may find the signatures you are looking for at
http://www.bleedingsnort.com/ 

You will also find that viewtopic is vulnerable in addition to SQL
injection, also to XSS and PHP injection, which suggests that a generic
signature for it may be the right thing.

ISTM this rule ought to *at least* look something like this:

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP viewtopic.php access"; flow:to_server,established;
uricontent:"viewtopic.php"; content:"select"; nocase;
reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767;
classtype:web-application-attack; sid:2229; rev:4;)


The problem is that no simple signature will encompass all possibilities of
an application layer attack such as SQL injection, the two examples you
brought are just too easy to evade.

Snort does its best by alerting you of a potential problem, but actually
detecting application layer attacks is beyond the scope of snort or any
other network layer IDS.

Or even better:

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP viewtopic.php access"; flow:to_server,established;
uricontent:"viewtopic.php"; content:"select"; nocase; content: "from";
nocase; content: "where"; nocase; reference:bugtraq,7979;
reference:cve,2003-0486; reference:nessus,11767;
classtype:web-application-attack; sid:2229; rev:4;)

N'est pas?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers@breach.com
http://www.breach.com



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] SID:2229 - False positives, Paul Schmehl RE: [Snort-sigs] SID:2229 - False positives, Ofer Shezaf <=

Previous by Date:	RE: [Snort-sigs] Bleeding rules virus and threshold issue, James Lay
Next by Date:	Re: [Snort-sigs] Windows Messenger/MSN Messenger, Matt Jonkman
Previous by Thread:	[Snort-sigs] SID:2229 - False positives, Paul Schmehl
Next by Thread:	[Snort-sigs] Update to snort rules (SNMP AgentX/tcp request), Bill Bernabe
Indexes:	[Date] [Thread] [Top] [All Lists]

RE: [Snort-sigs] SID:2229 - False positives