'RE: [Snort-sigs] frequent false +ves with sid 1801; rev:3'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    RE: [Snort-sigs] frequent false +ves with sid 1801; rev:3
From:       "Esler, Joel" <EslerJ () RCERT-S ! ARMY ! MIL>
Date:       2002-08-26 15:10:41
[Download RAW message or body]

What command do you guys use to get the raw dump of the data like that?  I
use "snort -sa".  Any help?

-----Original Message-----
From: Russell Fulton [mailto:r.fulton@auckland.ac.nz]
Sent: Sunday, August 25, 2002 9:29 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] frequent false +ves with sid 1801; rev:3


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"EXPERIMENTAL WEB-IIS .asp HTTP header buffer overflow attempt";
flow:to_server,established; content:"HTTP|2F|"; nocase;
uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|";
content:"|00|"; reference:bugtraq,4476;
classtype:web-application-attack; sid:1801; rev:3;)


I am seeing frequent false positives on this rule from packets
containing cookies with binary data. eg:

[**] EXPERIMENTAL WEB-IIS .asp HTTP header buffer overflow attempt [**]
08/25-22:26:45.981974 166.3.83.120:1576 -> 130.216.239.8:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1482
***AP*** Seq: 0x3736B724  Ack: 0x5DECCD9A  Win: 0x3EB3  TcpLen: 20
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10  ....1q...F\...E.
0x0010: 05 CA 00 00 00 00 F0 06 00 00 A6 03 53 78 82 D8  ............Sx..
0x0020: EF 08 06 28 00 50 37 36 B7 24 5D EC CD 9A 50 18  ...(.P76.$]...P.
0x0030: 3E B3 00 00 00 00 47 45 54 20 2F 65 78 63 68 61  >.....GET /excha
0x0040: 6E 67 65 2F 46 6F 72 6D 73 2F 49 50 4D 2F 4E 4F  nge/Forms/IPM/NO
0x0050: 54 45 2F 63 6D 70 41 74 74 2E 41 53 50 3F 66 66  TE/cmpAtt.ASP?ff
0x0060: 6E 61 6D 65 3D 25 32 32 43 25 33 41 25 35 43 57  name=%22C%3A%5CW
0x0070: 49 4E 44 4F 57 53 25 35 43 44 45 53 4B 54 4F 50  INDOWS%5CDESKTOP
0x0080: 25 35 43 69 6D 61 67 65 32 25 32 45 6A 70 67 25  %5Cimage2%2Ejpg%
0x0090: 32 32 26 66 66 6E 61 6D 65 54 59 50 45 3D 69 6D  22&ffnameTYPE=im
0x00A0: 61 67 65 25 32 46 70 6A 70 65 67 69 6D 61 67 65  age%2Fpjpegimage
0x00B0: 2F 70 6A 70 65 67 26 66 66 6E 61 6D 65 54 4D 50  /pjpeg&ffnameTMP
0x00C0: 3D 41 54 54 42 43 33 2E 74 6D 70 26 74 61 62 3D  =ATTBC3.tmp&tab=
0x00D0: 6E 6F 62 69 6E 64 26 63 6F 6D 6D 61 6E 64 3D 73  nobind&command=s
0x00E0: 65 6E 64 26 6F 62 6A 49 44 3D 38 38 32 33 26 6F  end&objID=8823&o
0x00F0: 62 6A 3D 38 38 32 33 26 20 48 54 54 50 2F 31 2E  bj=8823& HTTP/1.
0x0100: 31 0D 0A 41 63 63 65 70 74 3A 20 69 6D 61 67 65  1..Accept: image
0x0110: 2F 67 69 66 2C 20 69 6D 61 67 65 2F 78 2D 78 62  /gif, image/x-xb
0x0120: 69 74 6D 61 70 2C 20 69 6D 61 67 65 2F 6A 70 65  itmap, image/jpe
0x0130: 67 2C 20 69 6D 61 67 65 2F 70 6A 70 65 67 2C 20  g, image/pjpeg, 
0x0140: 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E  application/vnd.
0x0150: 6D 73 2D 70 6F 77 65 72 70 6F 69 6E 74 2C 20 61  ms-powerpoint, a
0x0160: 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D  pplication/vnd.m
0x0170: 73 2D 65 78 63 65 6C 2C 20 61 70 70 6C 69 63 61  s-excel, applica
0x0180: 74 69 6F 6E 2F 6D 73 77 6F 72 64 2C 20 2A 2F 2A  tion/msword, */*
0x0190: 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A  ..Referer: http:
0x01A0: 2F 2F 66 6F 61 6D 61 69 6C 2E 61 75 63 6B 6C 61  //foamail.auckla
0x01B0: 6E 64 2E 61 63 2E 6E 7A 2F 65 78 63 68 61 6E 67  nd.ac.nz/exchang
0x01C0: 65 2F 46 6F 72 6D 73 2F 49 50 4D 2F 4E 4F 54 45  e/Forms/IPM/NOTE
0x01D0: 2F 63 6D 70 41 74 74 2E 41 53 50 3F 66 66 6E 61  /cmpAtt.ASP?ffna
0x01E0: 6D 65 3D 25 32 32 43 25 33 41 25 35 43 57 49 4E  me=%22C%3A%5CWIN
0x01F0: 44 4F 57 53 25 35 43 44 45 53 4B 54 4F 50 25 35  DOWS%5CDESKTOP%5
0x0200: 43 49 6D 61 67 65 31 25 32 45 6A 70 67 25 32 32  CImage1%2Ejpg%22
0x0210: 26 66 66 6E 61 6D 65 54 59 50 45 3D 69 6D 61 67  &ffnameTYPE=imag
0x0220: 65 25 32 46 70 6A 70 65 67 69 6D 61 67 65 2F 70  e%2Fpjpegimage/p
0x0230: 6A 70 65 67 26 66 66 6E 61 6D 65 54 4D 50 3D 41  jpeg&ffnameTMP=A
0x0240: 54 54 42 43 32 2E 74 6D 70 26 74 61 62 3D 6E 6F  TTBC2.tmp&tab=no
0x0250: 62 69 6E 64 26 63 6F 6D 6D 61 6E 64 3D 73 65 6E  bind&command=sen
0x0260: 64 26 6F 62 6A 49 44 3D 38 38 32 33 26 6F 62 6A  d&objID=8823&obj
0x0270: 3D 38 38 32 33 26 0D 0A 41 63 63 65 70 74 2D 4C  =8823&..Accept-L
0x0280: 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A  anguage: en-us..
0x0290: 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 6D 75  Content-Type: mu
0x02A0: 6C 74 69 70 61 72 74 2F 66 6F 72 6D 2D 64 61 74  ltipart/form-dat
0x02B0: 61 3B 20 62 6F 75 6E 64 61 72 79 3D 2D 2D 2D 2D  a; boundary=----
0x02C0: 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D  ----------------
0x02D0: 2D 2D 2D 2D 2D 2D 2D 37 64 32 31 35 65 32 39 64  -------7d215e29d
0x02E0: 31 34 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64  14..Accept-Encod
0x02F0: 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61  ing: gzip, defla
0x0300: 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  te..User-Agent: 
0x0310: 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D  Mozilla/4.0 (com
0x0320: 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E  patible; MSIE 5.
0x0330: 30 31 3B 20 57 69 6E 64 6F 77 73 20 39 35 29 0D  01; Windows 95).
0x0340: 0A 48 6F 73 74 3A 20 66 6F 61 6D 61 69 6C 2E 61  .Host: foamail.a
0x0350: 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 0D 0A 43  uckland.ac.nz..C
0x0360: 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D  onnection: Keep-
0x0370: 41 6C 69 76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 41  Alive..Cookie: A
0x0380: 53 50 53 45 53 53 49 4F 4E 49 44 51 51 47 47 51  SPSESSIONIDQQGGQ
0x0390: 57 43 4B 3D 4D 43 49 4F 48 41 4B 43 4F 44 46 49  WCK=MCIOHAKCODFI
0x03A0: 44 46 44 4D 4E 48 4E 4B 4F 45 42 46 0D 0A 41 75  DFDMNHNKOEBF..Au
0x03B0: 74 68 6F 72 69 7A 61 74 69 6F 6E 3A 20 42 61 73  thorization: Bas
0x03C0: 69 63 20 61 6D 4E 68 63 6A 41 77 4E 7A 6F 79 4D  ic amNhcjAwNzoyM
0x03D0: 44 55 7A 4D 7A 6B 79 0D 0A 0D 0A 85 0F 55 3F 30  DUzMzky......U?0
0x03E0: 00 53 EC 1F A9 08 A0 E9 44 08 EE E4 47 85 7B 30  .S......D...G.{0
0x03F0: 46 DF 75 11 32 05 75 18 87 1F 72 C6 BC 27 2A 92  F.u.2.u...r..'*.
0x0400: EE 9F 2B 50 2C 0A CA 97 EB 17 90 D6 C8 31 3A 54  ..+P,........1:T
0x0410: 4D D5 7F 70 11 CE 43 8A 65 CB 93 97 40 5F 47 C3  M..p..C.e...@_G.
0x0420: 67 C4 53 F3 6C D5 62 7E 52 8F 0D 47 A1 50 CF 67  g.S.l.b~R..G.P.g
0x0430: 51 83 D9 28 5B EF 82 91 85 C1 A0 63 CB 9E 4A 43  Q..([......c..JC
0x0440: 11 54 21 E6 C3 6E E4 FF 04 52 18 8D AE F6 F7 5C  .T!..n...R.....\
0x0450: 81 26 5D 90 9C 2D FD 30 12 7B 85 0F A9 BB 35 D4  .&]..-.0.{....5.
0x0460: 60 30 DB 04 CB E8 1A 2E 65 3A D8 A8 61 03 8B 92  `0......e:..a...
0x0470: 7C 56 FD 49 8A 79 DB 8C 91 F3 EA ED 97 45 1C 15  |V.I.y.......E..
0x0480: C7 58 E5 B1 09 B6 71 C8 E8 9B F2 D1 99 E9 93 19  .X....q.........
0x0490: E3 31 F7 16 E3 94 9E BA 88 E3 E7 1B 36 6C 91 63  .1..........6l.c
0x04A0: 74 7A F3 5B AF 89 54 DC 78 D7 D3 F0 0F 93 98 3A  tz.[..T.x......:
0x04B0: FA 63 01 EB AB D8 71 10 AC CA 6C 02 E6 EA 9D 27  .c....q...l....'
0x04C0: EC C4 39 5C 64 39 80 94 FF C2 73 82 6B 37 7E 6B  ..9\d9....s.k7~k
0x04D0: BC 7D 27 F8 39 3E A9 F5 9C 87 B8 43 95 32 8F 83  .}'.9>.....C.2..
0x04E0: 94 45 69 66 C1 14 94 A7 D0 E4 72 36 27 70 ED A6  .Eif......r6'p..
0x04F0: 55 06 DB 56 A3 1D 50 FB 7D 25 FA 56 C9 40 85 35  U..V..P.}%.V.@.5
0x0500: F5 A5 1C 83 1A 00 3C 45 71 2B C6 88 0B 8D 11 F7  ......<Eq+......
0x0510: 99 31 E2 EE 1B 23 CE 35 2A 6E E9 46 97 E2 AE A9  .1...#.5*n.F....
0x0520: 7F CB 3A 32 A1 7E 3E F4 CD 6C 8C 56 C2 67 87 15  ..:2.~>..l.V.g..
0x0530: EE 45 D4 B6 D5 A1 6F B5 EB B7 D4 B1 9F 0E F0 79  .E....o........y
0x0540: 9F 83 BA C3 4D 8D AE B7 AC CE 96 71 BA 81 0A A0  ....M......q....
0x0550: B7 7C 19 95 F0 1A F0 03 D6 B1 C7 F9 AC 50 07 44  .|...........P.D
0x0560: 67 0B D2 77 DE BE BD D8 82 DF 5F FF 33 1C BF BA  g..w......_.3...
0x0570: 61 DF 02 B1 9C BF DE 6A 19 95 40 15 A3 A6 CA 43  a......j..@....C
0x0580: 63 14 1A B3 44 CF 57 A0 31 42 15 07 91 AD 03 54  c...D.W.1B.....T
0x0590: E0 D7 D6 E6 22 BB 8D 64 C3 62 44 F1 F5 0C 26 F9  ...."..d.bD...&.
0x05A0: EE 8B 39 B8 2F E7 87 B3 71 D7 88 44 96 E3 5D 5B  ..9./...q..D..][
0x05B0: A7 AA F8 F6 B1 5B 98 02 3B 41 88 FB DF 6C 7D 47  .....[..;A...l}G
0x05C0: 45 54 20 2F 65 78 63 68 61 6E 67 65 2F 69 6D 61  ET /exchange/ima
0x05D0: 67 65 73 2F 64 69 76 69                          ges/divi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Is there any way we can make this rule a bit more specific than just
looking for a NULL after the LF?


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic