Dailydave mailing list archives
Re: Testing the quickness of signature writers
From: Brian Caswell <bmc () snort org>
Date: Tue, 2 May 2006 11:24:15 -0400
On May 2, 2006, at 10:39 AM, Dave Aitel wrote:
That's a bit like getting a hole in one....on the wrong hole. Seeing as how I also thought it was April, when it's clearly May, we'll give you a half point here for effort.
An attempt to be cute, but failed. If you are VRT rule subscriber, you could have got the rule that would detect BABYBOTTLE April 12th.
http://www.snort.org/rules/advisories/vrt-rules-2006-04-12.html
Does your script break if I shove a space in between the \x3b and the \x26?
No. \x3b and \x26 are URI param delimiters. By putting a space at the wrong place, either the param will be broken. " module" is not the same as "module", or the underlying php would not work, which is ok for us to alert on as well, eg "module= foo" (note the space).
I try to understand snort signatures, but they're essentially optimized to be exactly the opposite of what my brain can handle. PCRE is herehttp://www.snort.org/docs/snort_manual/ node21.html#SECTION004510000000000000000but maybe I'm not seeing it right.
The pcre rule option is a regular expression, using libpcre, the same regular expression library that Python (and thus CANVAS) uses.
"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U
Lets take a look at the RE in baby steps. [?\x3b\x26]module Look the uri param "module". This would detect: ?module or foo=bar;module or foo=bar&module What we have left is handling of the args. "=[a-zA-Z0-9]*[^\x3b\x26]". What the rest of this says is:skip alphanumeric characters. Then match if anything other than ; or & shows up.
So: =passthru(...)By using this method, we don't alert on any "normal" modules. Plugins can use the same interface, and users can write their own plugins, so we can't just enumerate the acceptable modules. By writing the rule as above, anything other than alphanumeric text as a value for the module param will alert.
Brian
Current thread:
- Testing the quickness of signature writers Dave Aitel (May 01)
- Re: Testing the quickness of signature writers Brian Caswell (May 01)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- RE: Testing the quickness of signature writers Dave Korn (May 02)
- RE: Testing the quickness of signature writers M. Shirk (May 02)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- Re: Testing the quickness of signature writers Brian Caswell (May 02)
- RE: Testing the quickness of signature writers Dave Korn (May 02)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- Re: Testing the quickness of signature writers Brian Caswell (May 01)
- Re: Testing the quickness of signature writers Brian Caswell (May 02)