maybe another way to reduce event :
alert tcp ...(msg:"WEB-MISC cat%20 access"; flow:to_server,established;
content:"cat%20"; nocase; pcre:!"/[a-zA-Z]cat%20/Ui"; ref...)
Regards
Rmkml
Selon BassPlayer <bassplayer@angmar.com>:
NN
Thanks so much for a very concise explanation. Yea I missed escaping the
dot and the parens were in the example. doh!
In regards to the multiple ways to list a file could you use the | regexp
operarator to define multiple options and use \s+ for all white space?
Like
pcre:"/webdist\.cgi.+cat|awk|sed|head|tail\s+/";
In perl I'd do somthing like
@bin = ('cat','awk','sed','head','tail');
foreach (@bin) {
$url="webdist.cgi\?distloc=;$_ ";
print "Testing url \"$url\"\n";
if ($url =~ /webdist\.cgi.+cat|awk|sed|head|tail\s+/) {
print "matched $_\n";
}
}
That would give me the ouput
$ perl -w test.pl
Testing url "webdist.cgi?distloc=;cat "
matched cat
Testing url "webdist.cgi?distloc=;awk "
matched awk
Testing url "webdist.cgi?distloc=;sed "
matched sed
Testing url "webdist.cgi?distloc=;head "
matched head
Testing url "webdist.cgi?distloc=;tail "
matched tail
Just curious.
I really don't inist on using the rule I would like to have the rules I
auto download using oinkmaster work. I'll look more into how I can ignore
downloading specific rules with OM so once I know a rule is bogus it will
never get active in my setup.
Again thanks for your explaination
BP
nnposter@users.sourceforge.net wrote:
BassPlayer wrote:
Sorry my mod_security killed my message. Resending....
My point exactly but instead of not using the rule, which seems to be
the
default response when I ask a bout a rule, why not make it better so it
traps only on the actual exploit.
With my modded guardian script I can ignore idividual sids but then I
still see the alerts in my BASE console and they still take up log and
DB
space.
I guess I should of been more concise and asked if there was a way to
get
the rule updated. What is the process for doing that?
It would also be helpful if someone could tell me if the rule syntax
would
acutally work.
If you mean whether the syntax is correct then the answer is yes,
excluding the parentheses surrounding pcre. However there are quite
a few issues with the rule:
* The new pcre clause should use "\." for the dot before "cgi".
* This is a Unix vulnerability so the "/i" modifier is likely not
needed. (So is the original nocase clause.)
* The new pcre clause is vulnerable to encoding evasions; use the
"/U" modifier. (So is the original content clause.)
* The new pcre clause can be evaded by using other legitimate shell
whitespace, such as tabs. (So does the original content clause.)
* There are other ways how to dump a file content (grep, sed, awk,
head, tail, you-name-it).
* The modified rule is missing a content or uricontent clause,
which is making the rule expensive.
If you really, really insist on this rule even though the vulnerability
is so old you should do something like:
flow:to_server,established;
uricontent:"webdist.cgi";
pcre:"/webdist\.cgi.+\bcat[ \t]/U";
If you want to hunt for "cat" in general then use it in the uricontent
clause although it is too short/common to be really effective:
flow:to_server,established;
uricontent:"cat";
pcre:"/\bcat[ \t]/U";
Cheers,
nnposter
Thanks
BP
BassPlayer wrote:
Jamie Riden wrote:
Hi BP,
There are lots of other circumstances in which you don't want a 'cat'
command, e.g. with the awstats exploit, people will use cat/echo/id to
test if a script is vulnerable. Something like this:
GET
/cgi-bin/?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%3a%etc%3apasswd%20e_exp%3b%2500
HTTP/1.1"
However, the cat%20 rule does tend to generate a lot of false
positives - for example at the vet department of the university I used
to work at :) I wouldn't recommend blocking using it.
cheers,
Jamie
On 26/04/06, BassPlayer <bassplayer@angmar.com> wrote:
After checking the actual exploit here
http://www.securityfocus.com/bid/374/exploit
Wouln't it be better to do
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC
cat%20 access"; flow:to_server,established;
(pcre:"/webdist.cgi.+cat%20/i";) nocase; reference:bugtraq,374;
reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
Please excuse my n00bness in rules writing.
BP
BassPlayer wrote:
Hi,
Can this rule be tightened up a bit?
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC
cat%20 access"; flow:to_server,established; content:"cat%20";
nocase;
reference:bugtraq,374; reference:cve,1999-0039;
classtype:attempted-recon;
sid:1147; rev:7;)
It's triggering on the following request which is my wife streaming
music.
She wasn't too happy when my modified guardian script autoblocked
her
:D.
BP
Generated by BASE v1.2.2 (cindy) on Tue, 25 Apr 2006 15:18:24 -0700
------------------------------------------------------------------------------
#(1 - 113755) [2006-04-25 07:35:06] [cve/1999-0039]
[icat/1999-0039]
[bugtraq/374]
[local/1147] [snort/1147] WEB-MISC cat%20 access
IPv4: 143.183.121.1 -> 209.237.15.226
hlen=5 TOS=0 dlen=517 ID=43136 flags=0 offset=0 TTL=47
chksum=46826
TCP: port=56372 -> dport: 80 flags=***AP*** seq=2968053703
ack=1992497194 off=8 res=0 win=5840 urp=0 chksum=57923
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=8 data=A0754FBD005A583E
Payload: GET
/private_music_archive/play/index.php?song=2538&uid=usersid=sid&ds=32&name=/The%20Pussycat%20Dolls%20-%20Bite%20the%20Dust.mp3
HTTP/1.0
Accept: */*
User-Agent: Windows-Media-Player/10.00.00.3990
Host: www.angmar.com
Cookie: amp_longsess=1; POSTNUKESID=mumble
Via: 1.0 scfwpr01.sc.intel.com:911 (squid/2.5.STABLE12)
X-Forwarded-For: unknown
Cache-Control: max-age=259200
Connection: keep-alive
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your
job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
Jamie Riden / jamesr@europe.com / jamie.riden@computer.org
"Microsoft: Bringing the world to your desktop - and your desktop to
the world." -- Peter Gutmann
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
!DSPAM:444efc78219579060081866!
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
