Re: Snort-sigs Digest, Vol 106, Issue 20

[John York <YorkJ () brcc edu>]

Message: 1
Date: Mon, 16 Mar 2015 14:07:03 +0000
From: "Weir, Jason" <jason.weir () nhrs org>
Subject: [Snort-sigs] FP on 31977?
To: "'snort-sigs () lists sourceforge net'"
        <snort-sigs () lists sourceforge net>
Message-ID:
        <1F90BD115BC8E9418EB95499E371CF2707E3A039 () juniper nhrs org>
Content-Type: text/plain; charset="us-ascii"

Getting hits on 31977 via the GET below - I believe they are false.

GET /services/obituaries.ashx?IncludeSidebar=0&Name=Debra Jones Obituary&String=r. Memorial Home, Franklin-Tilton Road, 
584 West Main St., in Tilton. Deb's family requests that those wishing, may make contributions in her name to 
;(function() { var adKeyValue = 't='; adKeyValue                += escape('clio=MAW'); adKeyValue += 
escape('&cobrand=concordmonitor'); adKeyValue += escape('&linktext=The Make-A-Wish Foundation'); adKeyValue += 
escape('&linkurl=http://ad.doubleclick.net/ddm/clk/286988598%3B113956851%3Bl&apos;); adKeyValue += escape('&fn=Debra'); 
adKeyValue += escape('&ln=Jones'); var adClkUrl = 
'http://pubads.g.doubleclick.net/gampad/jump?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&&apos; + adKeyValue + 
'&sz=1x1&c=537810296'; var adImpUrl = 
'http://pubads.g.doubleclick.net/gampad/ad?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&&apos; + adKeyValue + 
'&sz=1x1&c=537810296'; document.write(" The Make-A-Wish Foundation "); }()); The Make-A-Wish Foundation of New 
Hampshire, 814 Elm St., Suite 300, Manchester, NH 03101. For more information go to 
smartfuneralhome.com.&location=http://www.legacy.com/obituaries/concordmonitor/obituary.aspx?n=debra-ann-jones-ross&pid=174389739&fhid=13973&randomlabel=ga38770210180839515&published=Sat
 Mar 14 2015 00:00:00 GMT-0400 (Eastern Daylight Time) HTTP/1.1

Looks like the function() { is what is triggering the rule.

Current rule

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; 
flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; 
reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:4;)

Will adding content:!" function() " break things?

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; 
flow:to_server,established; content:!" function() "; content:"() {"; fast_pattern:only; http_uri; metadata:policy 
balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; 
reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5;)

Jason


I had lots of FPs on this rule when I had problems with my $HOME_NET variable (was effectively ANY).  There are lots of 
screwy web apps that trigger the rule.  There were several different versions of screwy web app, so it would be hard to 
fix the rule for all of them.  When I set my variables so the rule only checked incoming traffic to my servers and 
ignored outgoing browsing, the FPs went away.
Thanks
John

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!