|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Testing the quickness of signature writers
From: Brian Caswell (bmc
snort.org)
Date: Tue May 02 2006 - 10:24:15 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On May 2, 2006, at 10:39 AM, Dave Aitel wrote:
> That's a bit like getting a hole in one....on the wrong hole. Seeing
> as how I also thought it was April, when it's clearly May, we'll give
> you a half point here for effort.
An attempt to be cute, but failed. If you are VRT rule subscriber,
you could have got the rule that would detect BABYBOTTLE April 12th.
http://www.snort.org/rules/advisories/vrt-rules-2006-04-12.html
> Does your script break if I shove a space in between the \x3b and the
> \x26?
No. \x3b and \x26 are URI param delimiters. By putting a space at
the wrong place, either the param will be broken. " module" is not
the same as "module", or the underlying php would not work, which is
ok for us to alert on as well, eg "module= foo" (note the space).
> I try to understand snort signatures, but they're essentially
> optimized to be exactly the opposite of what my brain can handle. PCRE
> is here
> http://www.snort.org/docs/snort_manual/
> node21.html#SECTION004510000000000000000
> but maybe I'm not seeing it right.
The pcre rule option is a regular expression, using libpcre, the same
regular expression library that Python (and thus CANVAS) uses.
> "/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U
Lets take a look at the RE in baby steps.
[?\x3b\x26]module
Look the uri param "module". This would detect:
?module
or
foo=bar;module
or
foo=bar&module
What we have left is handling of the args. "=[a-zA-Z0-9]*[^\x3b\x26]".
What the rest of this says is:
skip alphanumeric characters. Then match if anything other than ;
or & shows up.
So:
=passthru(...)
By using this method, we don't alert on any "normal" modules.
Plugins can use the same interface, and users can write their own
plugins, so we can't just enumerate the acceptable modules. By
writing the rule as above, anything other than alphanumeric text as a
value for the module param will alert.
Brian
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]