'[Emerging-Sigs] StillSecure: 6 New Signatures - Oct-22-2008'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-22-2008
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2008-10-24 15:30:23
Message-ID: 4901EA0F.9040005 () jonkmans ! com
[Download RAW message or body]

Robert Kerr wrote:
> Can we have a discussion on the merits of pcre:"/UNION.+SELECT/Ui"; as
> appears in many of these rules. Two concerns:
> 
>  a) PCREs are slow and should be always be well anchored. Would make 
>  sense to precede each pcre with a uricontent:"UNION"; to prevent ?the 
>  pcre firing on every hit to pages which are otherwise legit

Ya, agreed there. I can modify these last few that we didn't have that.

> 
>  b) The .+ seems overly permissive in that it allows 1 or more of any 
>  character in between the union and select? a quick look at other rules 
>  of these type seems to suggest they use UNION\s+SELECT

I can't think of a character in between other than a space (after it's
been normalized) that'd be valid. The real url would have a %20 likely,
but thatll normalize to a space.

Will modify these recent ones as well to reflect.

Are there others I need to look at as well?

Matt

> 
> Compare for example this rule:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT";
> flow:established,to_server; uricontent:"graph_view.php?"; nocase;
> uricontent:"graph_list="; nocase; uricontent:"UNION"; nocase;
> pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack;
> reference:cve,CVE-2008-0785; reference:bugtraq,27749; sid:2007889;
> rev:2;)
> 
> Not having looked deeply at any of the bugs concerned it may be possible
> there's something odd going on that makes \s+ not suitable?
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic