Hi list,
The rule "ATTACK-RESPONSES id check returned userid" will generate false
negatives. The complete rule is:
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check
returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,dec,string;
content:" gid="; within:15; byte_test:5,<,65537,0,relative,dec,string;
classtype:bad-unknown; sid:1882; rev:12;)
Same examples:
uid=0(root) gid=0(root) groups=0(root) -> works
uid=1001(cees) gid=1001(cees) groups=1001(cees) -> works
uid=33(www-data) gid=33(www-data) groups=33(www-data) -> false negative
The false negative is caused by the within argument. "uid=" and " gid=" are
separated by a total of 17 characters.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<------------->
15
<--------------->
17
The current within setting will cause the rule to fail for every user where
the combined length of the uid and username is greater then 9. Suggested
solution is to increase the within setting to approx 25/30.
Any thoughts?
Cheers, Cees
(BTW in it's default configuration this rule is currently disabled. Most
likely because of the high probability of false positives from admins.)
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
