FYI, after a brief off-list conversation, rmkml realzied that searching
for "=+" would not be as useful as he had thought, and has rescinded the
rule.
Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.
I can understand the concept behind "=|" -- there are a vast number of
web programs which are vulnerable to command injection via the use of
pipes that enclose shell commands, a la
"http://www.example.com/cgi-bin/foo.cgi?vuln=|rm -rf *|". Of course,
you'd need to use such a rule with extreme caution, since there are
places where this sort of thing is legitimate -- for example, if you
run a Google search for 'allinurl: "%3D%7C"' (which allows you to look
for pages whose URLs actually contain "=|"), you get 277 hits. I will
add this to the Community rules, in case it has value for anyone out
there, though it will be disabled by default.
I'm a lot less clear on the logic behind "=+". Rmkml, any information
you can provide on why you chose this particular character sequence as
something worth alerting on would be much appreciated. Meanwhile, I'm
going to pop that rule on my desktop here for the next few hours, just
to see how many alerts I get while doing normal daily web browsing, as
this ought to give at least some indiciation of how false-positive
prone it is.
Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.
On Wed, 2005-12-14 at 10:08 +0100, rmkml wrote:
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC generic cmd + after = attempt";
flow:to_server,established; uricontent:"|3D 2B|";
classtype:web-application-attack; )
this rules send event if on your uri, you have '=+' !
(http10/http11 ok)
Why would you classify this as an attack? Any web form that is submitted
via GET and with a field whose value starts with a space will match
this. Can you explain why this (and for that matter '=|') concerns you?
- Raz
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through
log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
