Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WEB-ATTACKS mail command attempt

From: Erek Adams <erek () snort org>
Date: Fri, 5 Sep 2003 01:04:33 -0400 (EDT)
On Thu, 4 Sep 2003, Ricardo Pires wrote:

[...snip...]


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS
mail command attempt"; flow:to_server,established;
content:"/bin/mail%20";nocase; sid:1367; classtype:web-application-attack;
rev:4;)

instead if this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS
mail command attempt"; flow:to_server,established; content:"mail%20";nocase;
sid:1367; classtype:web-application-attack; rev:4;)

I was looking at the log files and I'm having this false positives. The
packet is pointing to somewhere in the web page that says something like
"send mail to..."
Do you think puting the whole path could prevent this false positive ?


What if the attacker used a relative path?  "../../../../../usr/bin/mail "
Or "./mail "?  Or if it was just along the path "mail "?

There's a good and bad side to everything.  :)  You might want to consider
adding an exculude for the servers that are causing the falsies.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: