[Emerging-Sigs] 2 SIGS: ET SCAN Inspathx Path Disclosure Scanner
jonkman at emergingthreatspro.com
Tue Oct 12 18:50:11 EDT 2010
Posting, without nocase. We want to keep exact case here it seems.
On Sep 30, 2010, at 10:04 PM, evilghost at packetmail.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 09/30/2010 08:14 PM, Joel Esler wrote:
>> I generally put nocase on everything. I don't want the reason my sig
>> is bypassed is because s malware writer changed their case on one
>> letter in a content match.
> AFAIK something like this changes rarely and there's much better ways
> for scanning evasion by purporting to be a legitimate User-Agent. In
> this case I doubt case-insensitivity is necessary or the author is going
> to flip case to evade. With HTTP methods and a lack of strict-RFC HTTP
> daemons I agree nocase; is best not for scanning tools like this. I
> believe we use nocase; too much and it's superfluous.
> It's easy to use "might be evaded" as crutch. I believe excessive and
> unnecessary use of nocase to be performance degrading and sloppy.
>> Do we need the |od oa| is another question.
> Absolutely needed, else it would false positive on every instance of
> that User-Agent in an HTTP page; for example emerging-all.rules. I
> think |0d 0a| is more of a requirement than nocase.
> Sadly, one would want to be able to use http_header but Eoin has already
> proved that http_inspect and the normalized buffers can't handle
> multiple packet reassembly. That's sad because I too see this often in
> 126.96.36.199 and long URIs (often banner-ad nonsense) resulting in an HTTP
> header spanning multiple packets and the User-Agent appearing in the
> secondary or tertiary packet resulting in alerts firing for suspicious
> traffic not containing a User-Agent (content:!"|0d 0a|User-Agent\: ";
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
Emerging Threats Pro
Open Information Security Foundation (OISF)
More information about the Emerging-sigs