TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hi Jim,
doesn't this mean that:
A) A site that genuinely uses default.ida is going to get continuous false
positives.
B) A minor variant of CodeRed could request
"somekindoffilename.ida?NNN...." and it would slip right by the signature.
It does seem to be an overly specific and short sighted signature.
Wouldn't a better signature be something along the lines of:
/[^\.]*\.ida?[^=]{XX,}=$
Excuse my poor regex, but I think that's OK.
Where XX is the length required to cause the buffer overflow.
This would trap any request aimed at the .ida files, but only ones that had
query's that were long enough to cause a buffer overflow.
Just my 2c. Thoughts anyone?
Later'ish
Craig
[if you're going to wear a condom, make sure it's not made of Swiss cheese]
> The back-slash \ in default\.ida$ is there to indicate to the RS regex
> parser that the period is to be read literally as a period
> and NOT to be
> considered a period meta-chracter ( a regex period = 1
> character of any
> description, except newline). And having default.ida on your
> system is all
> you need for an indication that the VULNERABILITY is there,
> so looking for a
> GET of default.ida is all you need to indicate that the
> THREAT is there. Of
> course, you could always add the binary code portion of the
> attack at the
> end of the packet, but why type more when less will do?
>
> BTW, the folks at ISS Support educated me on the $ (EOL
> indicator) in teh
> suggested deault\.ida$ string recommendation. Using a User
> Defined Event
> context of URL Data, any part of the line that includes CGI parameters
> (including the ? and all subsequent data) is not passed to
> the RS parser.
> So the GET line effectively ends for the RS parser at the end of the
> default.ida phrase. Hence default\.ida$
>
> Jim Lindley
>
> -----Original Message-----
> From: Dan Wangler [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 31, 2001 9:57 AM
> To: [EMAIL PROTECTED]
> Subject: Code Red for RealSecure
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> problems!
> --------------------------------------------------------------
> --------------
>
> I received the X-Press alert for Code Red yesterday. In it
> was some good
> information on what it is and does and how to detect it.
>
> I do have a question concerning the RS signature. In the
> text of the alert,
> it says that Code Red sends the string "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
> 0%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
> 000%u00=a".
>
> However, the signature string for RS is simply
> "default\.ida$". I do not
> understand how the two can relate since the RS string does
> not match that
> part of the attack. Can someone explain it for me?
>
> Thanks
>
>
> Dan Wangler, GIAC Certified Intrusion Analyst
> IT Security Engineering and Development
> IT Security, Texas Instruments, Inc.
> 6500 Chase Oaks Blvd., MS 8417
> Plano, Texas, 75023, Phone: 972-927-8304
> Email: [EMAIL PROTECTED]
>
>
>
>
>
