Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] improvements to web-misc rules

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] improvements to web-misc rules
Date: Sun, 18 Sep 2005 10:53:00 -0400
You guys already have it, Frank updated it last night. I am not sure the turn around time, all depends on what's going on within VRT. Shouldn't be too long.

Joel

On Sep 18, 2005, at 10:31 AM, Matt Jonkman wrote:

How long does it take for something to be accepted into the community
sets? If it's going to be a while we'll update the sig on bleeding with
this one.

Matt

On Sun, 2005-09-18 at 10:17 -0400, Joel Esler wrote:

Frank,

Thanks for the feedback.

The original rule only specified one attack path URL, turns out that
there are several attack URL's all having to use "TwikiUsers?rev=".
Second of all, shell code can only be executed in Twiki if you use a
metacharacter to jump it to shell..

However, you are correct in saying that it could be evaded.  The
backtick will actually stop the command.  It will cease to run the
function.  However, they don't state than any other  metacharacter
can jump it to shell either.  They only example they give is the "|"
command will jump it to shell.  So... there are two methods to the
madness here, after much discussion internally with many other wise
SOURCEfire employees, Jason Brvenik had the idea to look for anything
that is a number followed by anything that is not a number, or "&",
or a new line.  We also  wrote a rule with some pcre to look for
every metacharacter after the rev number, however, we found that this
method was much more efficient.

I saw that you and Brvenik had a discussion in #snort on
irc.freenode.net last night, and you updated the original rule with
the advanced pcre. So cool.. I have also resubmitted the rule into
Community.  If accepted it will go into the community ruleset at
http://www.snort.org/pub-bin/downloads.cgi#COMM .   I apologize for
any confusion.

So:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
MISC Twiki shell command execution"; flow:to_server,established;
uricontent:"/TwikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui";
classtype:web-application-activity; reference:url,secunia.com/
advisories/16820/; rev:3;)

Would be more accurate.


Joel



On Sep 17, 2005, at 2:20 PM, Frank Knobbe wrote:


On Fri, 2005-09-16 at 08:01 -0400, Joel Esler wrote:


Chas I took your rule that you provided yesterday and made it more
accurate.  I submitted this rule for inclusion into the officially
community ruleset.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
MISC Twiki shell command execution"; flow:to_server,established;
uricontent:"/TwikiUsers?rev="; content:"|60|"; classtype:web-
application-activity; sid:<waitingonsid>; rev:2;)



I don't know if that is "more" accurate. You just modified the rule so
that it is subject to easy evasion. Perhaps you want to rethink the
rule.

Cheers,
Frank

--
Ciscogate: Shame on Cisco. Double-Shame on ISS.





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] improvements to web-misc rules, Matt Jonkman
Next by Date:  Re: [Snort-sigs] improvements to web-misc rules, Matt Jonkman
Previous by Thread:  Re: [Snort-sigs] improvements to web-misc rules, Matt Jonkman
Next by Thread:  Re: [Snort-sigs] improvements to web-misc rules, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]