On 26/04/06, nnposter@users.sourceforge.net
<nnposter@users.sourceforge.net> wrote:
<snip>
If you really, really insist on this rule even though the vulnerability
is so old you should do something like:
(The given vulnerability is old, but the 'cat%20' payload could easily
occur in exploits for recent PHP command injection problems )
flow:to_server,established;
uricontent:"webdist.cgi";
pcre:"/webdist\.cgi.+\bcat[ \t]/U";
<snip>
Cheers,
nnposter
The cat%20 rule was causing me too many false positives (including
this message I expect :). Instead of turning it off, what about
combining as follows:
alert tcp any any -> any any (msg:"WEB-ATTACKS web command attempt";
flow:to_server,established; uricontent:"\.php?";
pcre:"/\b(wget|curl|cc|chgrp|kill|chown\
|echo|rm|lsof|ls|perl|ping|netcat|cat|nc|nmap|gcc|g\+\+|traceroute|ftp|tftp)[
\t]/U"; classtype:web-application-activity; sid:2123156; rev:1;)
Any problems with this? Hopefully it should catch people trying to
exploit the vulnerable PHP script du jour. ( Every time a new remote
include, or command injection problem comes out (e.g. Horde issue last
week), someone sees if they can 'wget' their favourite rootkit.)
Is it more efficient to create more rules with uricontent:"\.pl" ,
"\.cgi" , or is it better to match both, and .cgi in the pcre as well?
cheers,
Jamie
--
Jamie Riden / jamesr@europe.com / jamie.riden@computer.org
"Microsoft: Bringing the world to your desktop - and your desktop to
the world." -- Peter Gutmann
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
