OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brian Caswell (bmcmitre.org)
Date: Sun Jul 01 2001 - 00:41:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Comments inline for those that wonder how/why I did the signature that
    I did...

    Dragos Ruiu wrote:
    > And since I'm replying to my own mail and thinking outloud the trailing "/exec"
    > check is wholly redundant and only slows snort down because if you've
    > seen the level tag before somethings no good for sure , so remove that last
    > check to get:
    >
    > alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
    > content:"GET"; regex:"level/*1[6-9]"; nocase; \
    > reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:3;)
    >
    > alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
    > content:"GET"; regex:"level/*[2-9][0-9]"; nocase; \
    > reference:bugtraq,2936; class type:attempted-admin; sid:1100001; rev:3;)

    A few comments from your signatures:
    - What regex are you using? the regex keyword just triggers the use
    of mSearchREG. This implementation of 'regex' is not true regex. it
    just handles ? and *
    - Not checking the /exec will false positive too often. The speed
    increase may be acceptable for small sites, but those of us large
    networks need to limit false positives as much as possible.
    - From what I have been told, (I havn't tested it though) POST works
    just fine.
    - These are URLs. use the uricontent if you are using 1.8. 1.7 has
    not had active mantaince for its signatures for quite some time. Use
    1.8 and disable the 'beta' features. (Yes, that is going to be fixed
    soon, but I'm doing this on my free time and my wedding is more
    important)

    I added a signature for this in CVS on Thu Jun 28 21:19:36 2001 UTC.
    (Approx 2 days ago)

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Cisco
    IOS HTTP configuration attempt"; uricontent:"/level/";
    uricontent:"/exec/"; flags:A+; classtype:attempted-admin;
    reference:bugtraq,2936; sid:1250; rev:1;) 

    -- 
Brian Caswell
The MITRE Corporation

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users