Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: Re: Cisco HTTP Admin IOS attack signature

From: Brian Caswell <bmc () mitre org>
Date: Sun, 01 Jul 2001 01:41:19 -0400
Comments inline for those that wonder how/why I did the signature that
I did...

Dragos Ruiu wrote:

And since I'm replying to my own mail and thinking outloud the trailing "/exec"
check is wholly redundant and only slows snort down because if you've
seen the level tag before somethings no good for sure , so remove that last
check to get:

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*1[6-9]";  nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:3;)

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*[2-9][0-9]"; nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100001; rev:3;)


A few comments from your signatures:
- What regex are you using?  the regex keyword just triggers the use
of mSearchREG.  This implementation of 'regex' is not true regex.  it
just handles ? and *
- Not checking the /exec will false positive too often.  The speed
increase may be acceptable for small sites, but those of us large
networks need to limit false positives as much as possible.
- From what I have been told, (I havn't tested it though) POST works
just fine.  
- These are URLs.  use the uricontent if you are using 1.8.  1.7 has
not had active mantaince for its signatures for quite some time.  Use
1.8 and disable the 'beta' features. (Yes, that is going to be fixed
soon, but I'm doing this on my free time and my wedding is more
important)

I added a signature for this in CVS on Thu Jun 28 21:19:36 2001 UTC. 
(Approx 2 days ago)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Cisco
IOS HTTP configuration attempt"; uricontent:"/level/";
uricontent:"/exec/"; flags:A+; classtype:attempted-admin;
reference:bugtraq,2936; sid:1250; rev:1;)

-- 
Brian Caswell
The MITRE Corporation

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: