List: arachnids
Subject: [arachNIDS] Re: [Snort-users] on rules and http preprocessor (a comment)
From: Max Vision <vision () whitehats ! com>
Date: 2000-10-09 8:55:02
[Download RAW message or body]
On Mon, 9 Oct 2000, Fyodor wrote:
> By the way just was testing snort rules and noticed that snort doesn't
> trigger alert if you have a rule saying `content: "%20%2e.blah"', and
> have an http preprocessor enabled. instead you will have to use
> `content: |20 2e|.blah' or something... but as you see it will also
> match a packet which contained ` ..blah' data f.e. In most cases it
> would be the same but some rules are looking for %2e%2e%2e packets
> explictly.. for this case we will have to thing of the way around, if
> possible..
> Any thoughts would be welcome of course ;-)
>
There are a few approaches to this problem - one is simply to pattern
match for whatever the %## url-encoded string represents. But if you want
to look for something containing the percent sign you can just use |25| to
get a literal match.
For example to match "%20%2e.blah" with the http preprocessor active you
could just replace the string with " ..blah", or if you specifically
wanted to catch the fact that someone used a url-encoding attack against
you, then "|25|20|25|2e.blah" would do the trick.
Max Vision
http://whitehats.com/
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic