Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-sigs] False positive - sid 1365

from [Zachary Lanier] Network Security [Permanent Link]
Subject: RE: [Snort-sigs] False positive - sid 1365
Date: Fri, 18 Mar 2005 14:21:39 -0500 
Well, already it looks like someone is trying to steal the answers to
the midterm! That should be a rule in itself ;)

The command doesn't necessarily need a space on either side:

What if it were "/bin/rm" or
"/leet/directory/i/put/my/commands/in/to/hide/them/from/a/nids/rm" then
the %20rm%20 wouldn't necessarily fire.

Zachary Lanier


+++The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and destroy any copies
of this document.+++


-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Paul
Schmehl
Sent: Friday, March 18, 2005 14:07
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] False positive - sid 1365


/usr/local/share/snort/web-attacks.rules:alert tcp $EXTERNAL_NET any -> 
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; 
flow:to_server,established; content:"rm%20"; nocase; 
classtype:web-application-attack; sid:1365; rev:5;)

We get a ton of fps on this signature.  I'm wondering why the content
isn't 
"%20rm%20" instead of "rm%20".  Wouldn't you need a space on either side

for the command to be parsed/understood?

Here's a typical packet.  I've removed the last few lines because there
was 
a username and password in there:

length = 885

000 : 47 45 54 20 2F 53 43 52 49 50 54 2F 31 30 35 39   GET /SCRIPT/1059
010 : 36 32 30 30 35 53 2F 73 63 72 69 70 74 73 2F 73   62005S/scripts/s
020 : 74 75 64 65 6E 74 2F 64 72 6F 70 62 6F 78 5F 66   tudent/dropbox_f
030 : 69 6C 65 73 5F 76 69 65 77 2E 70 6C 2F 2F 31 30   iles_view.pl//10
040 : 35 39 36 32 30 30 35 53 2F 70 72 6F 6A 30 35 73   5962005S/proj05s
050 : 2E 70 64 66 3F 46 49 4C 45 5F 44 4F 57 4E 4C 4F   .pdf?FILE_DOWNLO
060 : 41 44 2B 5F 68 6F 6D 65 70 61 67 65 2B 2B 31 35   AD+_homepage++15
070 : 38 35 32 31 32 38 39 34 2B 2F 31 30 35 39 36 32   85212894+/105962
080 : 30 30 35 53 2F 70 72 6F 6A 30 35 73 2E 70 64 66   005S/proj05s.pdf
090 : 2B 31 30 35 39 36 32 30 30 35 53 2B 20 48 54 54   +105962005S+ HTT
0a0 : 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 69   P/1.1..Accept: i
0b0 : 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F   mage/gif, image/
0c0 : 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61 67 65   x-xbitmap, image
0d0 : 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70 6A 70   /jpeg, image/pjp
0e0 : 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F   eg, application/
0f0 : 78 2D 73 68 6F 63 6B 77 61 76 65 2D 66 6C 61 73   x-shockwave-flas
100 : 68 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76   h, application/v
110 : 6E 64 2E 6D 73 2D 65 78 63 65 6C 2C 20 61 70 70   nd.ms-excel, app
120 : 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D   lication/vnd.ms-
130 : 70 6F 77 65 72 70 6F 69 6E 74 2C 20 61 70 70 6C   powerpoint, appl
140 : 69 63 61 74 69 6F 6E 2F 6D 73 77 6F 72 64 2C 20   ication/msword,
150 : 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74   */*..Referer: ht
160 : 74 70 3A 2F 2F 77 65 62 63 74 2E 75 74 64 61 6C   tp://webct.utdal
170 : 6C 61 73 2E 65 64 75 2F 53 43 52 49 50 54 2F 31   las.edu/SCRIPT/1
180 : 30 35 39 36 32 30 30 35 53 2F 73 63 72 69 70 74   05962005S/script
190 : 73 2F 73 74 75 64 65 6E 74 2F 64 72 6F 70 62 6F   s/student/dropbo
1a0 : 78 5F 66 69 6C 65 73 5F 76 69 65 77 2E 70 6C 3F   x_files_view.pl?
1b0 : 53 54 41 52 54 2B 5F 68 6F 6D 65 70 61 67 65 2B   START+_homepage+
1c0 : 2B 31 35 38 35 32 31 32 38 39 34 2B 70 72 6F 6A   +1585212894+proj
1d0 : 30 35 73 2E 70 64 66 2B 31 30 35 39 36 32 30 30   05s.pdf+10596200
1e0 : 35 53 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75   5S..Accept-Langu
1f0 : 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65   age: en-us..Acce
200 : 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69   pt-Encoding: gzi
210 : 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 65 72   p, deflate..User
220 : 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F   -Agent: Mozilla/
230 : 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B   4.0 (compatible;
240 : 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F    MSIE 6.0; Windo
250 : 77 73 20 4E 54 20 35 2E 30 29 0D 0A 48 6F 73 74   ws NT 5.0)..Host
260 : 3A 20 77 65 62 63 74 2E 75 74 64 61 6C 6C 61 73   : webct.utdallas
270 : 2E 65 64 75 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E   .edu..Connection
280 : 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F   : Keep-Alive..Co
290 : 6F 6B 69 65 3A 20 70 61 67 65 3D 31 35 33 38 38   okie: page=15388
2a0 : 34 35 39 39 33 5F 5F 31 36 33 31 33 39 38 36 36   45993__163139866
2b0 : 35 5F 5F 5F 5F 31 36 33 31 33 39 38 36 36 35 2E   5____1631398665.
2c0 : 70 64 66 5F 5F 41 6E 73 77 65 72 73 25 32 30 74   pdf__Answers%20t
2d0 : 6F 25 32 30 4D 69 64 25 32 30 54 65 72 6D 25 32   o%20Mid%20Term%2
2e0 : 30 54 65 73 74 5F 5F 46 5F 5F 6D 73 30 35 73 61   0Test__F__ms05sa
2f0 : 2E 70 64 66 3B 20 57 65 62 43 54 54 69 63 6B 65   .pdf; WebCTTicke
300 : 74 3D 75 73 65 72 6E 61 6D 65 25 33 44 63 78 72   t=username%3Dcxr

You'll notice that what's triggering the rule is this:
page=15388
2a0 : 34 35 39 39 33 5F 5F 31 36 33 31 33 39 38 36 36   45993__163139866
2b0 : 35 5F 5F 5F 5F 31 36 33 31 33 39 38 36 36 35 2E   5____1631398665.
2c0 : 70 64 66 5F 5F 41 6E 73 77 65 72 73 25 32 30 74   pdf__Answers%20t
2d0 : 6F 25 32 30 4D 69 64 25 32 30 54 65 72 6D 25 32   o%20Mid%20Term%2
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2e0 : 30 54 65 73 74 5F 5F 46 5F 5F 6D 73 30 35 73 61   0Test__F__ms05sa
2f0 : 2E 70 64 66 3B 20 57 65 62 43 54 54 69 63 6B 65   .pdf;

This is very common, as you would imagine, at a university.
        
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] False positive - sid 1365, Paul Schmehl
Next by Date:  Re: [Snort-sigs] False positive - sid 1365, Chris Kronberg
Previous by Thread:  Re: [Snort-sigs] False positive - sid 1365, Jason
Next by Thread:  Re: [Snort-sigs] False positive - sid 1365, Paul Schmehl
Indexes:  [Date] [Thread] [Top] [All Lists]