|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Dailydave] Testing the quickness of signature writers
From: Dave Korn (dave.korn
artimi.com)
Date: Tue May 02 2006 - 09:44:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 02 May 2006 15:39, Dave Aitel wrote:
> Brian Caswell wrote:
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
>> PHP horde help module arbitrary command execution attempt";
>> flow:established,to_server; uricontent:"/services/help/";
>> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";
>> classtype:web-application- attack;)
> Does your script break if I shove a space in between the \x3b and the
> \x26? I try to understand snort signatures, but they're essentially
> optimized to be exactly the opposite of what my brain can handle. PCRE
> is here
>
http://www.snort.org/docs/snort_manual/node21.html#SECTION00451000000000000000
0
> but maybe I'm not seeing it right.
>> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";
A forward slash, followed by any one char from the set ('?', ';', '&')
followed by the literal text "module=" followed by any number (zero or more)
alphanumerics followed by any char that is neither ';' nor '&'. All matched
against the decoded URI buffer.
I.e. it's looking at the url-encoded cgi parameters (which always follow a ?
; or &) for one that matches 'module=.....something...' and making sure that
the bit after the equals sign has only alphanums until it meets the delimiter
which identifies the next field.
cheers,
DaveK
--
Can't think of a witty .sigline today....
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]