Network Security: Detailed info on RE: [Snort-sigs] False positive

Subject:	RE: [Snort-sigs] False positive - sid 1365
Date:	Tue, 22 Mar 2005 02:31:19 +0200


The problem is that rm is one of a very long list of commands, and that pcre
is very expensive performance wise. 

Even prefixing with a "uricontent" operator does not help much as two letter
words tend to crop up a lot (and it probably should be "content" and not
"uricontent" as rm could very well injected in a parameter value).

So? 
Write code better; Configure the server better; use application layer
security tools; but don't try to catch application layer issues such as
command or SQL injection with Snort.

~ Ofer

Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers@breach.com
http://www.breach.com

-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net [mailto:snort-sigs-
admin@lists.sourceforge.net] On Behalf Of Mike Pomraning
Sent: Saturday, March 19, 2005 1:40 AM
To: Paul Schmehl
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] False positive - sid 1365

On Fri, 18 Mar 2005, Paul Schmehl wrote:

--On Friday, March 18, 2005 08:23:14 PM +0100 Chris Kronberg

<smil@agleia.de>

wrote:


The only thing you know for sure is the space after the "rm".

[...]


How about this:

For 1365 - pcre:"[\/\s;\?\|]?rm\s";
For 1344 - pcre:"[\/\s;\?\|]?cc\s";

[...]

How about:

   uricontent: "rm "; pcre: "/\brm /U";

and similar for "cc"?

'\b' (word boundary) ensures that "rm" can't be the end of a token (as in
"GET /Form%20Download/"), and the 'uricontent' should keep the rule
reasonably fast, in addition to handling multiple space encoding schemes.

If you're worried about more sophisticated injections that don't use a
space
character (e.g., "rm${_bleh- }..." or "rm$IFS..."), you could drop the
space
altogether:

   uricontent: "rm"; pcre: "/\brm\b/U";

Regards,
Mike
--
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] False positive - sid 1365, Paul Schmehl Re: [Snort-sigs] False positive - sid 1365, Chris Kronberg Re: [Snort-sigs] False positive - sid 1365, Jason RE: [Snort-sigs] False positive - sid 1365, Zachary Lanier Re: [Snort-sigs] False positive - sid 1365, Paul Schmehl Re: [Snort-sigs] False positive - sid 1365, Mark Tombaugh Re: [Snort-sigs] False positive - sid 1365, Mike Pomraning RE: [Snort-sigs] False positive - sid 1365, Ofer Shezaf <= RE: [Snort-sigs] False positive - sid 1365, Mike Pomraning RE: [Snort-sigs] False positive - sid 1365, Ofer Shezaf RE: [Snort-sigs] False positive - sid 1365, Paul Schmehl

Previous by Date:	RE: [Snort-sigs] False positive - sid 1365, Mike Pomraning
Next by Date:	RE: [Snort-sigs] False positive - sid 1365, Ofer Shezaf
Previous by Thread:	Re: [Snort-sigs] False positive - sid 1365, Mike Pomraning
Next by Thread:	RE: [Snort-sigs] False positive - sid 1365, Mike Pomraning
Indexes:	[Date] [Thread] [Top] [All Lists]

RE: [Snort-sigs] False positive - sid 1365