ahh, the lost arts... I would not even want the %20 in there.
Chris Kronberg wrote:
On Fri, 18 Mar 2005, Paul Schmehl wrote:
/usr/local/share/snort/web-attacks.rules:alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt";
flow:to_server,established; content:"rm%20"; nocase;
classtype:web-application-attack; sid:1365; rev:5;)
We get a ton of fps on this signature. I'm wondering why the content
isn't
So do I, yet...
"%20rm%20" instead of "rm%20". Wouldn't you need a space on either
side for the command to be parsed/understood?
"%20rm%20" will not catch attempts ala "somescript.cgi?rm%20/etc/passwd"
or "somescript.cgi?bla=blub;rm%20/tmp/laber".
I had seen attempts like that in the past (although the script in
question was not vulnerable). Some attackers used "rm", others used
"/bin/rm". A more recent example may be
"awstats.pl?configdir=|rm%20/path/to/file|"
The only thing you know for sure is the space after the "rm".
unless you are able to set IFS
an example might be
GET /path/to/awstats.pl?configdir=%7cIFS=%3a%3brm%3a/path/to/file%7c
If you are sure to catch all possible combinations a pcre rule
should reduce the fps significantly (I'll try to write a rule
after a night of sleep; can't think straight right now).
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
