BassPlayer wrote:
Sorry my mod_security killed my message. Resending....
My point exactly but instead of not using the rule, which seems to be the
default response when I ask a bout a rule, why not make it better so it
traps only on the actual exploit.
With my modded guardian script I can ignore idividual sids but then I
still see the alerts in my BASE console and they still take up log and DB
space.
I guess I should of been more concise and asked if there was a way to get
the rule updated. What is the process for doing that?
It would also be helpful if someone could tell me if the rule syntax would
acutally work.
If you mean whether the syntax is correct then the answer is yes,
excluding the parentheses surrounding pcre. However there are quite
a few issues with the rule:
* The new pcre clause should use "\." for the dot before "cgi".
* This is a Unix vulnerability so the "/i" modifier is likely not
needed. (So is the original nocase clause.)
* The new pcre clause is vulnerable to encoding evasions; use the
"/U" modifier. (So is the original content clause.)
* The new pcre clause can be evaded by using other legitimate shell
whitespace, such as tabs. (So does the original content clause.)
* There are other ways how to dump a file content (grep, sed, awk,
head, tail, you-name-it).
* The modified rule is missing a content or uricontent clause,
which is making the rule expensive.
If you really, really insist on this rule even though the vulnerability
is so old you should do something like:
flow:to_server,established;
uricontent:"webdist.cgi";
pcre:"/webdist\.cgi.+\bcat[ \t]/U";
If you want to hunt for "cat" in general then use it in the uricontent
clause although it is too short/common to be really effective:
flow:to_server,established;
uricontent:"cat";
pcre:"/\bcat[ \t]/U";
Cheers,
nnposter
Thanks
BP
BassPlayer wrote:
Jamie Riden wrote:
Hi BP,
There are lots of other circumstances in which you don't want a 'cat'
command, e.g. with the awstats exploit, people will use cat/echo/id to
test if a script is vulnerable. Something like this:
GET
/cgi-bin/?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%3a%etc%3apasswd%20e_exp%3b%2500
HTTP/1.1"
However, the cat%20 rule does tend to generate a lot of false
positives - for example at the vet department of the university I used
to work at :) I wouldn't recommend blocking using it.
cheers,
Jamie
On 26/04/06, BassPlayer <bassplayer@angmar.com> wrote:
After checking the actual exploit here
http://www.securityfocus.com/bid/374/exploit
Wouln't it be better to do
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
cat%20 access"; flow:to_server,established;
(pcre:"/webdist.cgi.+cat%20/i";) nocase; reference:bugtraq,374;
reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
Please excuse my n00bness in rules writing.
BP
BassPlayer wrote:
Hi,
Can this rule be tightened up a bit?
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC
cat%20 access"; flow:to_server,established; content:"cat%20"; nocase;
reference:bugtraq,374; reference:cve,1999-0039;
classtype:attempted-recon;
sid:1147; rev:7;)
It's triggering on the following request which is my wife streaming
music.
She wasn't too happy when my modified guardian script autoblocked her
:D.
BP
Generated by BASE v1.2.2 (cindy) on Tue, 25 Apr 2006 15:18:24 -0700
------------------------------------------------------------------------------
#(1 - 113755) [2006-04-25 07:35:06] [cve/1999-0039] [icat/1999-0039]
[bugtraq/374]
[local/1147] [snort/1147] WEB-MISC cat%20 access
IPv4: 143.183.121.1 -> 209.237.15.226
hlen=5 TOS=0 dlen=517 ID=43136 flags=0 offset=0 TTL=47
chksum=46826
TCP: port=56372 -> dport: 80 flags=***AP*** seq=2968053703
ack=1992497194 off=8 res=0 win=5840 urp=0 chksum=57923
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=8 data=A0754FBD005A583E
Payload: GET
/private_music_archive/play/index.php?song=2538&uid=usersid=sid&ds=32&name=/The%20Pussycat%20Dolls%20-%20Bite%20the%20Dust.mp3
HTTP/1.0
Accept: */*
User-Agent: Windows-Media-Player/10.00.00.3990
Host: www.angmar.com
Cookie: amp_longsess=1; POSTNUKESID=mumble
Via: 1.0 scfwpr01.sc.intel.com:911 (squid/2.5.STABLE12)
X-Forwarded-For: unknown
Cache-Control: max-age=259200
Connection: keep-alive
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your
job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
Jamie Riden / jamesr@europe.com / jamie.riden@computer.org
"Microsoft: Bringing the world to your desktop - and your desktop to
the world." -- Peter Gutmann
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
