'[Snort-sigs] False positive in 1861.9 (WEB-MISC Linksys router default username and password login'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] False positive in  1861.9 (WEB-MISC Linksys router default username and password login
From:       nnposter <nnposter () users ! sourceforge ! net>
Date:       2005-01-19 23:19:00
Message-ID: 1861.9.1 () users ! sourceforge ! net
[Download RAW message or body]


Rule:  WEB-MISC Linksys router default username and password login attempt

--
Sid: 1861

--
False Negatives:
Current version of the rule improperly matches on any password 
that starts with "admin".


I am proposing to augment the PCRE clause with a terminator:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 
(msg:"WEB-MISC Linksys router default username and password login attempt"; 
flow:to_server,established; content:"Authorization|3A|"; nocase; 
pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46YWRtaW4[=\s]/smi"; 
reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:10;) 


Unless I am mistaken the rule could be further optimized by using the
credentials as a more unique pre-match and making the PCRE partially 
case sensitive to reduce false positives:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 
(msg:"WEB-MISC Linksys router default username and password login attempt"; 
flow:to_server,established; content:"YWRtaW46YWRtaW4"; 
pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi"; 
reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:10;) 

Cheers,
nnposter


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic