NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2000-11

Subject: Re: [Snort-users] CGI Null Byte Attack
From: Joe Stewart (jstewartlurhq.com)
Date: Mon Nov 20 2000 - 19:25:31 CST

Next message: Frank Knobbe: "[Snort-users] Snort and FW-1 (was ISS - Cheaper alternatives?)"
Previous message: Joe McAlerney: "Re: [Snort-users] Can we interpret the ICMP unreachable messages?"
In reply to: Len Burns: "[Snort-users] CGI Null Byte Attack"
Next in thread: Vitaly McLain: "Re: [Snort-users] CGI Null Byte Attack"
Reply: Joe Stewart: "Re: [Snort-users] CGI Null Byte Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 20 Nov 2000, you wrote:
> I saw this in ACID under unique alerts, and am having a bit of trouble
> tracking down info about it.
> spp_http_decode: CGI Null Byte attack detected 30 (2%) 1 1 1
> What I am looking for is a way to verify whether this is of concern,
> or if not what might be triggering it. Thanks in advance for any
> pointers.

It's (newly) part of the http preprocessor. Basically, if the http decoding
routine finds a %00 in an http request, it will alert with this message.
Sometimes you may see false positives with sites that use cookies with
urlencoded binary data, or if you're scanning port 443 and picking up
SSLencrypted traffic . If you're logging alerted packets you can check the
actual string that caused the alert. Also, the unicode alert is subject to
the same false positives with cookies and SSL. Having the packet dumps is the
only way to tell for sure if you have a real attack on your hands, but this
is true for any content-based alert.

-Joe

-- 
Joe Stewart
Information Security Analyst 
LURHQ Corporation
==========================>
jstewartlurhq.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

Next message: Frank Knobbe: "[Snort-users] Snort and FW-1 (was ISS - Cheaper alternatives?)"
Previous message: Joe McAlerney: "Re: [Snort-users] Can we interpret the ICMP unreachable messages?"
In reply to: Len Burns: "[Snort-users] CGI Null Byte Attack"
Next in thread: Vitaly McLain: "Re: [Snort-users] CGI Null Byte Attack"
Reply: Joe Stewart: "Re: [Snort-users] CGI Null Byte Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]