BassPlayer wrote:
Sorry my mod_security killed my message. Resending....
My point exactly but instead of not using the rule, which seems to be the
default response when I ask a bout a rule, why not make it better so it
traps only on the actual exploit.
The exploit referenced is but one of a class of command injections. It
really serves to provide information that someone is poking around
playing with command injection. Hopefully it gives you a chance to
respond before they find a real command injection.
With my modded guardian script I can ignore idividual sids but then I
still see the alerts in my BASE console and they still take up log and DB
space.
Any updates made to the rule would eliminate many other potential
exploitation vectors. This is not the only cgi to have ever been
vulnerable nor is maintaining a list of every cgi a practical thing to
do. The %20 is even a compromise as some scripts are invoked by shells
that still allow the use of IFS in insecure ways. Other scripts will
replace specific chars with a space in a misguided attempt to make them
safe so the exploit string becomes something like ;cat#/path/to/file
The rule is about as close as you can get to actual detection of the
class of vulnerabilities in a generic sense without being overly loose
in it's application. For these classes of vulnerabilities there is
little that can be done to ensure perfect coverage short of writing a
rule for every exploit opportunity. There are other rules that are very
similar in applicability such as ones that look for id, rm... but you
would have to look for every potential command that can be executed in
every potential way to detect the class of vulnerabilities all the time
every time.
If you are confident that every cgi on your server is free of command
injection then turn it off. If you are not then leave it on and use pass
rules to handle _your_ _known_ false positive cases. Under rare
circumstance would it ever make sense to automatically block on a rule
such as this. Regardless of what you do any change to the rule will have
an affect on it's effectiveness in one direction or the other favoring
false positives or negatives.
I guess I should of been more concise and asked if there was a way to get
the rule updated. What is the process for doing that?
There are several ways to ask for a change. One such way is exactly what
you have done, open a discussion on list. We monitor the lists and are
always looking for feedback and suggestions and it is great to see new
people getting involved and asking questions; often with great
suggestions resulting from the discussion.
Other ways to ask for a change are:
- Send an email to snort-team@sourcefire.com
- Submit a new rule as a suggested replacement to the appropriate rules
category @ http://www.snort.org/reg-bin/rulesubmit.cgi
- Catch us on freenode in #snort
It would also be helpful if someone could tell me if the rule syntax would
acutally work.
Thanks
BP
BassPlayer wrote:
Jamie Riden wrote:
Hi BP,
There are lots of other circumstances in which you don't want a 'cat'
command, e.g. with the awstats exploit, people will use cat/echo/id to
test if a script is vulnerable. Something like this:
GET
/cgi-bin/?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%3a%etc%3apasswd%20e_exp%3b%2500
HTTP/1.1"
However, the cat%20 rule does tend to generate a lot of false
positives - for example at the vet department of the university I used
to work at :) I wouldn't recommend blocking using it.
cheers,
Jamie
On 26/04/06, BassPlayer <bassplayer@angmar.com> wrote:
After checking the actual exploit here
http://www.securityfocus.com/bid/374/exploit
Wouln't it be better to do
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
cat%20 access"; flow:to_server,established;
(pcre:"/webdist.cgi.+cat%20/i";) nocase; reference:bugtraq,374;
reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
Please excuse my n00bness in rules writing.
BP
BassPlayer wrote:
Hi,
Can this rule be tightened up a bit?
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC
cat%20 access"; flow:to_server,established; content:"cat%20"; nocase;
reference:bugtraq,374; reference:cve,1999-0039;
classtype:attempted-recon;
sid:1147; rev:7;)
It's triggering on the following request which is my wife streaming
music.
She wasn't too happy when my modified guardian script autoblocked her
:D.
BP
Generated by BASE v1.2.2 (cindy) on Tue, 25 Apr 2006 15:18:24 -0700
------------------------------------------------------------------------------
#(1 - 113755) [2006-04-25 07:35:06] [cve/1999-0039] [icat/1999-0039]
[bugtraq/374]
[local/1147] [snort/1147] WEB-MISC cat%20 access
IPv4: 143.183.121.1 -> 209.237.15.226
hlen=5 TOS=0 dlen=517 ID=43136 flags=0 offset=0 TTL=47
chksum=46826
TCP: port=56372 -> dport: 80 flags=***AP*** seq=2968053703
ack=1992497194 off=8 res=0 win=5840 urp=0 chksum=57923
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=8 data=A0754FBD005A583E
Payload: GET
/private_music_archive/play/index.php?song=2538&uid=usersid=sid&ds=32&name=/The%20Pussycat%20Dolls%20-%20Bite%20the%20Dust.mp3
HTTP/1.0
Accept: */*
User-Agent: Windows-Media-Player/10.00.00.3990
Host: www.angmar.com
Cookie: amp_longsess=1; POSTNUKESID=mumble
Via: 1.0 scfwpr01.sc.intel.com:911 (squid/2.5.STABLE12)
X-Forwarded-For: unknown
Cache-Control: max-age=259200
Connection: keep-alive
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your
job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
Jamie Riden / jamesr@europe.com / jamie.riden@computer.org
"Microsoft: Bringing the world to your desktop - and your desktop to
the world." -- Peter Gutmann
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
!DSPAM:444edc89215666362979185!
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
Jason Brvenik - Sourcefire
PGP: 89C6 DE77 3B32 FC03 A5AE B5DD 11DF 4C8B 0D8E 3383
Key: http://cerberus.sourcefire.com/~jbrvenik/jason.brvenik.pgp.key
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
