[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    Re: [Bleeding-sigs] Rule for NaviCopa bof
From:       Matt Jonkman <jonkman () bleedingthreats ! net>
Date:       2007-03-29 5:50:08
Message-ID: 460B5390.10101 () bleedingthreats ! net
[Download RAW message or body]

I think we can do these with a different approach. The bof happens at
between characters 271 and 274. The leading padding wouldn't have to be "a".

We ought to go pcre, but the leading 271 characters could be nearly
anything, and the cgi path could also be modified locally. This is a
tough one to really do easily.

If they're pushing regular shellcode or http includes then existing sigs
will catch it.

How well-used is this package? Does it warrant further thought?

Matt

Jack Pepper wrote:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NaviCopa
> HTTP server bof (1)"; flow:to_server,established;
> uricontent:"/cgi-bin/aaaaaaaa"; nocase; reference: url,
> www.skilltube.com/index.php?option=com_content&task=blogsection&id=3&Itemid=37;
> classtype:web-application-attack; sid:1000988; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NaviCopa
> HTTP server bof (2)"; flow:to_server,established;
> uricontent:"/cgi/aaaaaaaa"; nocase; reference: url,
> www.skilltube.com/index.php?option=com_content&task=blogsection&id=3&Itemid=37;
> classtype:web-application-attack; sid:1000989; rev:1;)
> 
> jp
> 
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and extrication,
> security services, systems integration.
> Contact:    services@doctorunix.com
> 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic