Hosting Provided By

Re: [Snort-sigs] WebDAV nessus script?

From: Frank Knobbe <fknobbe(at)knobbeits.com>
Date: Tue Mar 18 2003 - 23:47:40 EST

On Tue, 2003-03-18 at 21:51, Jason Haar wrote:
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> > (msg:"IIS-WebDAV Exploit";
> > flow:established,to_server;content:!"/";offset:14; depth:1000;)

uhm... yeah, that's an assumption. psshht! Don't tell anyone :)

Something like GET /////////////NNNNNNNN....etc would probably still work. I haven't seen the exploit code, so I have no clue how far back into the packet the jump occurs. Given that there are probably 50K worth of noop sled and 10K worth of code, wasting those 10 first chars of the sled shouldn't make an impact.

I'm also toying with : found in headers after the URL. But if the shell code appears early in the packet, and contains / or :, then the sig is worthless. Again, given the size the packet has to reach, it sounds reasonable that the sled is at the beginning and rather large. The smaller you can make the 'depth', the cleaner the sig would be. How small depends on your web site.

> What do you mean by partials? I thought the "flow:" would have sorted that

I logged packets that looked like Snort started to watch on the second packet. For example, there was no GET request, but just pieces of a long URL (tried this on a segment with busy, complex web site). The logged info doesn't really make sense, but neither do I at the moment (I'm about to call it a night :)

Do you need help?

I'm gonna run a tcpdump tomorrow while the test rule is running again and try to understand what Snort is telling me. It almost looks like Snort can not find a / within 2000 bytes, and then only logs the second packet, not the whole stream. After all, the rule fires on the lack of a content, not existing content, so it may very well just log the last packet it checked.

I am running the ManHunt sig. But if Mr. Worm changes the N to A, then the ManHunt sig will fail. The one above should still fire.

Perhaps this case here will be inspiration for an 'urilength' option in Snort. Even if so, that would probably be Snort 2.0, and I have the feeling the Worm might hit before 2.0 is released.

Later,
Frank

This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

application/pgp-signature attachment: This is a digitally signed message part

Received on Wed Mar 19 00:23:26 2003

This message: [ Message body ]
Next message: Jason Haar: "Re: [Snort-sigs] WebDAV nessus script?"
In reply to Jason Haar: "Re: [Snort-sigs] WebDAV nessus script?"
Next in thread: Jason Haar: "Re: [Snort-sigs] WebDAV nessus script?"
Reply: Jason Haar: "Re: [Snort-sigs] WebDAV nessus script?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:26 EDT