OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Fyodor (fygravetigerteam.net)
Date: Mon Mar 26 2001 - 14:22:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Mon, Mar 26, 2001 at 11:50:24AM -0700, Ryan Russell wrote:
    > So, I'm looking at some of the rules on the snort.org site, and there are
    > several like this under the WEB-MISC category:
    >
    > alert tcp $EXTERNAL_NET 80 -> $HTTP_SERVERS any (msg:"WEB-MISC telnet
    > attempt";flags: A+; content:"telnet.exe"; nocase;)
    >
    > My question has to do with the port numbers. If I'm reading this right,
    > the rule is looking for packets from outside, from TCP port 80, to your
    > web servers, on any port. By my thinking, this implies your web servers
    > acting as web clients to outside machines. And, it's looking for
    > telnet.exe in the content, implying that your web server has downloaded a
    > page with that in it. I'm not even sure what exploit this would be for...
    > any client-side holes I would expect to use telnet:// instead.
    >
    > If the any and 80 were reversed, it would make sense to me... it would be
    > watching for an attempt to call telnet.exe on your web server.
    >
    > What am I misunderstanding?

    Unless the port number is misplaced (i.g. the right way to have this rule would
    be 'alert tcp $EXTERNAL any -> $HTTP_SERVERS 80 (..)' the purpose of this rule
    is not clear to me either. IMHO there are possibilities that someone from outside
    may want to exec reverse telnet on your webserver and pipe something to it, but...

    Hmm.. a few things which I could think of are:

    * your firewall is missconfigured and allows port 80 connections to both
    directions you may want to see if anyone from outside will use port 80 as
    source and attempt to connect to your webserver (why only webserver then?:))
    and launch reverse telnet or something.. still kinda dodgy model, cuz you
    probably would want to fix your firewall first in this case. :)

    * someone will use your http server to bounce requests to some other server where
    he would be able to exec telnet.exe (and the binary name will be in HTTP headers),
    and you want to see it as well, but it sounds kinda far-fetched to me, I don't remember
    any real-world vulnerabilities matching this pattern. :)

    if it helps.. :)

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users