Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] FP: COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host

from [Chich Thierry] Network Security [Permanent Link]
Subject: [Snort-sigs] FP: COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host ..
Date: Wed, 19 Apr 2006 11:43:51 +0200 
Hi,

I have a lot of false positive with the rule 100000170.


 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY 
WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host 
Parameter"; flow:to_server,established; content:"Host"; nocase;               
pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; ...)

As I understand this rule, it try to find packet that begin by Host  followed 
by 100 chars that are not in \r\n (0d 0a). In the following trace, it doesn't 
work. I don't understand why, since there is a beautiful 0d 0a after the host 
name, and there is no "host.*" in the name of the host

0x0020:  xxxx xxxx xxxxx xxxx xxxxx xxxx  2f63 7264 P...r...GET./crd
0x0030:  702f 5465 7874 652e 6874 6d20 4854 5450  p/Texte.htm.HTTP
0x0040:  2f31 2e31 0d0a 4163 6365 7074 3a20 696d  /1.1..Accept:.im
0x0050:  6167 652f 6769 662c 2069 6d61 6765 2f78  age/gif,.image/x
0x0060:  2d78 6269 746d 6170 2c20 696d 6167 652f  -xbitmap,.image/
0x0070:  6a70 6567 2c20 696d 6167 652f 706a 7065  jpeg,.image/pjpe
0x0080:  672c 2061 7070 6c69 6361 7469 6f6e 2f78  g,.application/x
0x0090:  2d73 686f 636b 7761 7665 2d66 6c61 7368  -shockwave-flash
0x00a0:  2c20 6170 706c 6963 6174 696f 6e2f 766e  ,.application/vn
0x00b0:  642e 6d73 2d65 7863 656c 2c20 6170 706c  d.ms-excel,.appl
0x00c0:  6963 6174 696f 6e2f 766e 642e 6d73 2d70  ication/vnd.ms-p
0x00d0:  6f77 6572 706f 696e 742c 2061 7070 6c69  owerpoint,.appli
0x00e0:  6361 7469 6f6e 2f6d 7377 6f72 642c 2061  cation/msword,.a
0x00f0:  7070 6c69 6361 7469 6f6e 2f78 2d67 7361  pplication/x-gsa
0x0100:  7263 6164 652d 6c61 756e 6368 2c20 6170  rcade-launch,.ap
0x0110:  706c 6963 6174 696f 6e2f 782d 6963 712c  plication/x-icq,
0x0120:  202a 2f2a 0d0a 5265 6665 7265 723a 2068  .*/*..Referer:.h
0x0130:  7474 703a 2f2f  xxxx xxxx xxxxx xxxx xxxx  ttp://xxxx.xxxxx
0x0140:  xxxx xxxx xxxxx xxxx xxxx xxxx xxxx   2f69  xxxx.xx/xxxxx/i
0x0150:  6e64 6578 2e68 746d 6c0d 0a41 6363 6570  ndex.html..Accep
0x0160:  742d 4c61 6e67 7561 6765 3a20 6465 0d0a  t-Language:.de..
0x0170:  4163 6365 7074 2d45 6e63 6f64 696e 673a  Accept-Encoding:
0x0180:  2067 7a69 702c 2064 6566 6c61 7465 0d0a  .gzip,.deflate..
0x0190:  5573 6572 2d41 6765 6e74 3a20 4d6f 7a69  User-Agent:.Mozi
0x01a0:  6c6c 612f 342e 3020 2863 6f6d 7061 7469  lla/4.0.(compati
0x01b0:  626c 653b 204d 5349 4520 362e 303b 2057  ble;.MSIE.6.0;.W
0x01c0:  696e 646f 7773 204e 5420 352e 313b 2053  indows.NT.5.1;.S
0x01d0:  5631 3b20 2e4e 4554 2043 4c52 2031 2e31  V1;..NET.CLR.1.1
0x01e0:  2e34 3332 3229 0d0a 486f 7374 3a20 6372  .4322)..Host:.xx
0x01f0:   xxxx xxxx xxxx xxxxx xxxxx xxxxx xxxx xxxxx  xx.xxxxxxxxxxx.x
0x0200:  xx0d 0a43 6f6e 6e65 6374 696f 6e3a 204b  x..Connection:.K
0x0210:  6565 702d 416c 6976 650d 0a0d 0a eep-Alive....

Just a question. Is there a good reason to limit the size to 100 ? The RFC 
1034 is limiting the size of an hostname to 254.

Thierry. 


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] FP: COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host .., Chich Thierry <=
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  [Snort-sigs] 2.4.4 Binaries and 2.6.0RC1 Available, Jennifer Steffens
Next by Thread:  [Snort-sigs] Sig 1147, BassPlayer
Indexes:  [Date] [Thread] [Top] [All Lists]