--On Friday, March 18, 2005 08:23:14 PM +0100 Chris Kronberg
<smil@agleia.de> wrote:
"%20rm%20" instead of "rm%20". Wouldn't you need a space on either side
for the command to be parsed/understood?
"%20rm%20" will not catch attempts ala
"somescript.cgi?rm%20/etc/passwd"
or "somescript.cgi?bla=blub;rm%20/tmp/laber".
I had seen attempts like that in the past (although the script in
question was not vulnerable). Some attackers used "rm", others used
"/bin/rm". A more recent example may be
"awstats.pl?configdir=|rm%20/path/to/file|"
The only thing you know for sure is the space after the "rm".
If you are sure to catch all possible combinations a pcre rule
should reduce the fps significantly (I'll try to write a rule
after a night of sleep; can't think straight right now).
How about this:
For 1365 - pcre:"[\/\s;\?\|]?rm\s";
For 1344 - pcre:"[\/\s;\?\|]?cc\s";
Or simply this:
For 1365 - pcre:"\W?rm\s";
For 1344 - pcre:"\W?cc\s";
Or this:
For 1365 - pcre:"[\W\d]?rm\s";
For 1344 - pcre:"[\W\d]?cc\s";
Surely the character preceding rm or cc would have to be non-alpha at
least, if not non-alphanumeric? I don't know which of the above would be
most efficient, but ISTM one of them would be an improvement and still
catch all hacking attempts while reducing/eliminating the fps.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
