Bug #211
closedFail to alert on sid 2002660
Description
Suricata fails to alert on sid 2002660 with the attached pcap. Snort is able to pick it up.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER RSA Web Auth Exploit Attempt - Long URL"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; uricontent:"?Redirect?"; nocase; pcre:"/url=.{8000}/i"; reference:url,secunia.com/advisories/17281; reference:url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2002660; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_RSA; reference:url,doc.emergingthreats.net/2002660; sid:2002660; rev:8;)
Files
Updated by Victor Julien over 14 years ago
Wouldn't it make more sense to do the pcre on the uri?
Anyway, the packet containing the GET data is considered out of window by the stream engine and I think it is right about it:
[6142] 20/7/2010 -- 13:30:08 - (stream-tcp.c:1510) <Debug> (HandleEstablishedPacketToServer) -- ssn 0x99f3d68: toserver => SEQ out of window, packet SEQ 2266354306, payload size 8241 (2266362547),ssn->client.last_ack 2266354306, ssn->client.next_win 2266362498(49) (ssn->client.ra_base_seq 2266354305)
This causes the stream engine to reject the packet so it won't be sent to the htp module which means the uricontent match will never work.
Updated by Will Metcalf over 14 years ago
- Due date set to 07/20/2010
- Status changed from New to Closed
- Estimated time set to 2.50 h
Ok this is an r2a bug, data is indeed out-of-window. Sending it over to Josh for review. And you are correct based on the following the rule should use the /U modifier. I will send this over to ET.