[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] False positive in 1861.9 (WEB-MISC Linksys router default username and password login
From: nnposter <nnposter () users ! sourceforge ! net>
Date: 2005-01-19 23:19:00
Message-ID: 1861.9.1 () users ! sourceforge ! net
[Download RAW message or body]
Rule: WEB-MISC Linksys router default username and password login attempt
--
Sid: 1861
--
False Negatives:
Current version of the rule improperly matches on any password
that starts with "admin".
I am proposing to augment the PCRE clause with a terminator:
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080
(msg:"WEB-MISC Linksys router default username and password login attempt";
flow:to_server,established; content:"Authorization|3A|"; nocase;
pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46YWRtaW4[=\s]/smi";
reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:10;)
Unless I am mistaken the rule could be further optimized by using the
credentials as a more unique pre-match and making the PCRE partially
case sensitive to reduce false positives:
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080
(msg:"WEB-MISC Linksys router default username and password login attempt";
flow:to_server,established; content:"YWRtaW46YWRtaW4";
pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi";
reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:10;)
Cheers,
nnposter
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic