[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    Re: [Bleeding-sigs] Rule Submit: Poison Null Byte
From:       Matt Jonkman <mjonkman () infotex ! com>
Date:       2006-09-13 17:54:36
Message-ID: 450845DC.1040901 () infotex ! com
[Download RAW message or body]

AHH! Sorry Blake. I read that and saw a content, not the uricontent. My bad.

I'll post it asap.

Matt

Blake Hartstein wrote:
> 
> http_inspect does not strip null bytes, it does however allow you to
> alert on the null byte in the url, using the non_rfc_char {...}
> configuration option.
> 
> Sending files by http should not likely be using the uri to send the
> file, but there are always exceptions of course.
> 
> I've been using it on my network for a while now and it seems to be
> relatively stable, and not prone to false positives.
> I have seen some indication that this rule leads to a snort related bug
> due to detection of urls without the null byte causing an alert, perhaps
> uricontent is reaching into another area, or something else I am not
> aware of?
> 
> -Blake
> 
> 
> Matt Jonkman wrote:
>> Interesting... Think we can put a depth in or something? What if we're
>> sending a file via http? Surely we'll get falses there.
>>
>> Does the http preprocessor strip null bytes?
>>
>> matt
>>
>> Blake Hartstein wrote:
>>  
>>> Hi,
>>> This rule detects several known issues in web scripts which allows an
>>> attacker to bypass filters and potentially execute arbitrary code.
>>> Additionally, apache will remove null bytes, which could also indicate
>>> an attack, which would not be detected otherwise.
>>>
>>> These attacks could potentially affect any language, and thus I have not
>>> anchored them to any particular one.
>>>
>>> I highly recommend enabling this rule on your network. Please report any
>>> false positives you see.
>>>
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>>> (msg:"BLEEDING-EDGE WEB-MISC Poison Null Byte";
>>> flow:established,to_server; uricontent:"|00|"; reference:cve,2006-4542;
>>> reference:cve,2006-4458; reference:cve,2006-3602;
>>> reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf;
>>>
>>> classtype:web-application-activity; sid:2003???; rev:1; )
>>>
>>> -Blake
>>>
>>>     
>>
>>   
> 
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic