Snort mailing list archives
Re: FP on 31977?
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Mon, 16 Mar 2015 18:06:56 +0000
Agreed Dave – I don’t suggest changing a rule to make up for a bad application. Here is another report of a potential fp on this rule http://sourceforge.net/p/snort/mailman/message/32980285/ If things can be improved so be it – otherwise I’ll just suppress this rule for that site. -J From: Dave Killion [mailto:dave.killion () gmail com] Sent: Monday, March 16, 2015 12:13 PM To: Weir, Jason; snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] FP on 31977? That is the most horrible web-app I've seen in a long, long time. I wonder how susceptible it is to cross-site scripting... :) -Dave On Mon, Mar 16, 2015 at 7:26 AM Weir, Jason <jason.weir () nhrs org<mailto:jason.weir () nhrs org>> wrote: Getting hits on 31977 via the GET below – I believe they are false. GET /services/obituaries.ashx?IncludeSidebar=0&Name=Debra Jones Obituary&String=r. Memorial Home, Franklin-Tilton Road, 584 West Main St., in Tilton. Deb's family requests that those wishing, may make contributions in her name to ;(function() { var adKeyValue = 't='; adKeyValue += escape('clio=MAW'); adKeyValue += escape('&cobrand=concordmonitor'); adKeyValue += escape('&linktext=The Make-A-Wish Foundation'); adKeyValue += escape('&linkurl=http://ad.doubleclick.net/ddm/clk/286988598%3B113956851%3Bl'); adKeyValue += escape('&fn=Debra'); adKeyValue += escape('&ln=Jones'); var adClkUrl = 'http://pubads.g.doubleclick.net/gampad/jump?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&' + adKeyValue + '&sz=1x1&c=537810296'; var adImpUrl = 'http://pubads.g.doubleclick.net/gampad/ad?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&' + adKeyValue + '&sz=1x1&c=537810296'; document.write(" The Make-A-Wish Foundation "); }()); The Make-A-Wish Foundation of New Hampshire, 814 Elm St., Suite 300, Manchester, NH 03101. For more information go to smartfuneralhome.com.&location=http://www.legacy.com/obituaries/concordmonitor/obituary.aspx?n=debra-ann-jones-ross&pid=174389739&fhid=13973&randomlabel=ga38770210180839515&published=Sat Mar 14 2015 00:00:00 GMT-0400 (Eastern Daylight Time) HTTP/1.1 Looks like the function() { is what is triggering the rule. Current rule alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:4;) Will adding content:!” function() “ break things? alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:!” function() “; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5;) Jason ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FP on 31977? Weir, Jason (Mar 16)
- Re: FP on 31977? Dave Killion (Mar 16)
- Re: FP on 31977? Weir, Jason (Mar 16)
- Re: FP on 31977? Dave Killion (Mar 16)