[Emerging-Sigs] 2 SIGS: ET SCAN Inspathx Path Disclosure Scanner

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 12 18:50:11 EDT 2010


Posting, without nocase. We want to keep exact case here it seems.

Thanks all!

Matt

On Sep 30, 2010, at 10:04 PM, evilghost at packetmail.net wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> On 09/30/2010 08:14 PM, Joel Esler wrote:
>> I generally put nocase on everything.  I don't want the reason my sig
>> is bypassed is because s malware writer changed their case on one
>> letter in a content match.
> 
> AFAIK something like this changes rarely and there's much better ways
> for scanning evasion by purporting to be a legitimate User-Agent.  In
> this case I doubt case-insensitivity is necessary or the author is going
> to flip case to evade.  With HTTP methods and a lack of strict-RFC HTTP
> daemons I agree nocase; is best not for scanning tools like this.  I
> believe we use nocase; too much and it's superfluous.
> 
> It's easy to use "might be evaded" as crutch.  I believe excessive and
> unnecessary use of nocase to be performance degrading and sloppy.
> 
>> Do we need the |od oa| is another question.
> 
> Absolutely needed, else it would false positive on every instance of
> that User-Agent in an HTTP page; for example emerging-all.rules.  I
> think |0d 0a| is more of a requirement than nocase.
> 
> Sadly, one would want to be able to use http_header but Eoin has already
> proved that http_inspect and the normalized buffers can't handle
> multiple packet reassembly.  That's sad because I too see this often in
> 2.8.6.1 and long URIs (often banner-ad nonsense) resulting in an HTTP
> header spanning multiple packets and the User-Agent appearing in the
> secondary or tertiary packet resulting in alerts firing for suspicious
> traffic not containing a User-Agent (content:!"|0d 0a|User-Agent\: ";
> nocase;)
> 
>> Joel
> 
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJMpUGYAAoJENgimYXu6xOHDCcP/2qExiA69mIThdubDG940ZTW
> TdkOMGD44p/BfnQoYag+gwLk+C3VZMrEhgpDr5ektql1UpuoMiYUTb+2x8kvOhuS
> yNDzarTTHaGTJQwCFjXkWnZPyvU1H/WlO+dPE7XRnIIVn2Snvj+k0w/Q4lK8qHsh
> gHMGp3uIv/A/vq3aIhIZyGXpijk1ArYzlqdY/ROiGYJenHQDVLwTUCNDIjibk7tJ
> pEJW7jq93JDRlWIaeLl0WaR8GCXUC3ZjlGebNxLidlJOqg7cMtvlRzUJcTduiSNo
> 0NwLoxWi4C89L48HO67LEu5cq5RtgG1lmiarY5wOb3Z3eQRBDuKKKjCr+QerKPRl
> 3p4YJedryvonQx02QB5rYIXtC5HYuiYUWuqA31056oI2zbs7nyWCprtyiG0y0gx2
> k6sYDzt/CF1oo7r7odhbnLEFncFwX4sBIXX3D4UQCkl+OhgW6MfZPZLX+zJEg0S8
> 6b/h1fCWv2fwTs93xrVIytxrYM+rMdLFeVZjORUe+DiOnxzucimT+QdLxWTpXwcs
> KIx3DECkM8Dl26F79uTVdRxE9qnuyfYO675uZCHoqg8T1I++dk0/DjznZ9/zQsXE
> I1OFMpiIUb35TR3GRgUjQDlRA6xUq4jmTcAF96uWUnaJEeZGH9L6rCPJPg8kpBxJ
> FX7VlDor+WMUPumkei8R
> =SOv5
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list