Snort mailing list archives
Re: Fwd: Re: Cisco HTTP Admin IOS attack signature
From: Brian Caswell <bmc () mitre org>
Date: Sun, 01 Jul 2001 01:41:19 -0400
Comments inline for those that wonder how/why I did the signature that I did... Dragos Ruiu wrote:
And since I'm replying to my own mail and thinking outloud the trailing "/exec" check is wholly redundant and only slows snort down because if you've seen the level tag before somethings no good for sure , so remove that last check to get: alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; regex:"level/*1[6-9]"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:3;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; regex:"level/*[2-9][0-9]"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100001; rev:3;)
A few comments from your signatures: - What regex are you using? the regex keyword just triggers the use of mSearchREG. This implementation of 'regex' is not true regex. it just handles ? and * - Not checking the /exec will false positive too often. The speed increase may be acceptable for small sites, but those of us large networks need to limit false positives as much as possible. - From what I have been told, (I havn't tested it though) POST works just fine. - These are URLs. use the uricontent if you are using 1.8. 1.7 has not had active mantaince for its signatures for quite some time. Use 1.8 and disable the 'beta' features. (Yes, that is going to be fixed soon, but I'm doing this on my free time and my wedding is more important) I added a signature for this in CVS on Thu Jun 28 21:19:36 2001 UTC. (Approx 2 days ago) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; uricontent:"/level/"; uricontent:"/exec/"; flags:A+; classtype:attempted-admin; reference:bugtraq,2936; sid:1250; rev:1;) -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Fwd: Re: Cisco HTTP Admin IOS attack signature Brian Caswell (Jun 30)