Re: [Snort-sigs] Sig 1147

Sorry my mod_security killed my message. Resending....
My point exactly but instead of not using the rule, which seems to be the
default response when I ask a bout a rule, why not make it better so it
traps only on the actual exploit.
With my modded guardian script I can ignore idividual sids but then I
still see the alerts in my BASE console and they still take up log and DB
space.
I guess I should of been more concise and asked if there was a way to get
the rule updated. What is the process for doing that?

It would also be helpful if someone could tell me if the rule syntax would
acutally work.

Thanks
BP


BassPlayer wrote:
> Jamie Riden wrote:
> > Hi BP,
> >
> > There are lots of other circumstances in which you don't want a 'cat'
> > command, e.g. with the awstats exploit, people will use cat/echo/id to
> > test if a script is vulnerable. Something like this:
> >
> > GET
> > /cgi-bin/?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%3a%etc%3apasswd%20e_exp%3b%2500
> > HTTP/1.1"
> >
> > However, the cat%20 rule does tend to generate a lot of false
> > positives - for example at the vet department of the university I used
> > to work at :) I wouldn't recommend blocking using it.
> >
> > cheers,
> >  Jamie
> >
> > On 26/04/06, BassPlayer <bassplayer@angmar.com> wrote:
> > > After checking the actual exploit here
> > >
> > > http://www.securityfocus.com/bid/374/exploit
> > >
> > > Wouln't it be better to do
> > >
> > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> > > cat%20 access"; flow:to_server,established;
> > > (pcre:"/webdist.cgi.+cat%20/i";)  nocase; reference:bugtraq,374;
> > > reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
> > >
> > > Please excuse my n00bness in rules writing.
> > >
> > > BP
> > >
> > > BassPlayer wrote:
> > > > Hi,
> > > > Can this rule be tightened up a bit?
> > > >
> > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> > > (msg:"WEB-MISC
> > > > cat%20 access"; flow:to_server,established; content:"cat%20"; nocase;
> > > > reference:bugtraq,374; reference:cve,1999-0039;
> > > classtype:attempted-recon;
> > > > sid:1147; rev:7;)
> > > >
> > > > It's triggering on the following request which is my wife streaming
> > > music.
> > > > She wasn't too happy when my modified guardian script autoblocked her
> > > :D.
> > > > BP
> > > >
> > > > Generated by BASE v1.2.2 (cindy) on Tue, 25 Apr 2006 15:18:24 -0700
> > > >
> > > > ------------------------------------------------------------------------------
> > > > #(1 - 113755) [2006-04-25 07:35:06] [cve/1999-0039] [icat/1999-0039]
> > > > [bugtraq/374]
> > > > [local/1147] [snort/1147]  WEB-MISC cat%20 access
> > > > IPv4: 143.183.121.1 -> 209.237.15.226
> > > >       hlen=5 TOS=0 dlen=517 ID=43136 flags=0 offset=0 TTL=47
> > > chksum=46826
> > > > TCP:  port=56372 -> dport: 80  flags=***AP*** seq=2968053703
> > > >       ack=1992497194 off=8 res=0 win=5840 urp=0 chksum=57923
> > > >       Options:
> > > >        #1 - NOP len=0
> > > >        #2 - NOP len=0
> > > >        #3 - TS len=8 data=A0754FBD005A583E
> > > > Payload: GET
> > > > /private_music_archive/play/index.php?song=2538&uid=usersid=sid&ds=32&name=/The%20Pussycat%20Dolls%20-%20Bite%20the%20Dust.mp3
> > > > HTTP/1.0
> > > >
> > > > Accept: */*
> > > >
> > > > User-Agent: Windows-Media-Player/10.00.00.3990
> > > >
> > > > Host: www.angmar.com
> > > >
> > > > Cookie: amp_longsess=1; POSTNUKESID=mumble
> > > >
> > > > Via: 1.0 scfwpr01.sc.intel.com:911 (squid/2.5.STABLE12)
> > > >
> > > > X-Forwarded-For: unknown
> > > >
> > > > Cache-Control: max-age=259200
> > > >
> > > > Connection: keep-alive
> > > >
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > Using Tomcat but need to do more? Need to support web services,
> > > security?
> > > > Get stuff done quickly with pre-integrated technology to make your
> > > job
> > > > easier
> > > > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> > > Geronimo
> > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > > _______________________________________________
> > > > Snort-sigs mailing list
> > > > Snort-sigs@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > --
> > Jamie Riden / jamesr@europe.com / jamie.riden@computer.org
> > "Microsoft: Bringing the world to your desktop - and your desktop to
> >  the world." -- Peter Gutmann
>
>
>
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> !DSPAM:444edc89215666362979185!






-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs