Hosting Provided By

[Snort-sigs] SID 1360

From: Anton Chuvakin <anton(at)chuvakin.org>
Date: Thu Apr 17 2003 - 18:17:45 EDT

# This is a template for submitting snort signature descriptions to

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20";nocase; sid:1360; classtype:web-application-attack; rev:4;)

--
Sid: 1360

-- 
Summary: A web command execution attack involving the use of a
"netcat" command

-- 
Impact: attacker might have gained an ability to execute system commands
remotely on the system

-- 
Detailed Information: This signature triggers when a "netcat"
command is used over a plain-text (unencrypted) connection on one of
the specified web ports to the target web server. The "netcat" command
may be used establish an interactive shell session to the machine and
also transfer files over the connection. The signature looks for the
"netcat" command in the client to web server network traffic and does
not indicate whether the command was actually successful. The presence
of the "netcat" command in the URL indicates that an attacker
attempted to trick the web server into executing system in
non-interactive mode i.e. without a valid shell session. Another case
when this signature might trigger is unencrypted HTTP tunneling
connection to the server or a shell connection through an exploit of
the web server.

-- 
Attack Scenarios: An attacker uses a "netcat" command to
move his rootkit to the system.

--
Ease of Attack: very easy, no exploit software required

-- 
False Positives: any sting containing 'nc' followed by space in the
URL will trigger the alarm.

--
False Negatives: none known

-- 
Corrective Action: check the web server software for vulnerabilities
and possible upgrade the system to the latest version, also
investigate the server for signs of compromise

--
Contributors: Anton Chuvakin <
http://www.chuvakin.org>

-- 
Additional References:



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Thu Apr 17 19:04:49 2003

This message: [ Message body ]
Next message: Danny Shurett: "[Snort-sigs] jackhammer"
Previous message: Anton Chuvakin: "[Snort-sigs] SID 1359"
In reply to Anton Chuvakin: "[Snort-sigs] SID 1334"
Reply: nnposter(at)users.sourceforge.net: "[Snort-sigs] False positives on 1360.5 et al."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT