We occasionally write signatures for the Snort IDS, especially for attacks that are just out, or for which no Snort signatures are available as yet.

Snort SACK TCP Option Handling Remote Denial of Service Issue

A vulnerability has been identified in Snort, which could be exploited by remote attackers to cause a denial of service. This flaw is due to an error in the "PrintTcpOptions()" function [log.c] that does not properly handle specially crafted TCP packets containing malformed SACK options, which could be exploited by remote attackers to crash a vulnerable application. Note : This vulnerability exists only when Snort is run in verbose mode.

alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"malformed Sack --Snort DoS-by-$um$id";seq:0;ack:0;window:65535;dsize:0;sid:5000009211;rev:1;classtype: snort-DOS attempt;)

References
FrSIRT Advisory : FrSIRT/ADV-2005-1721

---

Microsoft ASN.1 Buffer Overflow Exploit

Two serious vulnerabilities have been discovered in Microsoft's implementation of the ASN.1 library. A denial-of-service exploit was released for these vulnerabilities on 17th Feb. This exploit will crash the lsass.exe service, and then automatically reboot the system. The signature show below will detect attempts to use this code to exploit this vulnerability.

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NII Microsoft ASN.1 Library Buffer Overflow Exploit"; content:"|A1 05 23 03 03 01 07|"; flow:to_server,established; classtype:bad-unknown; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.asp; sid:7001; rev:1;)

References
Microsoft's MS04-007 bulletin: "http://www.microsoft.com/technet/security/bulletin/MS04-007.asp"
ASN.1 Denial of Service Exploit http://www.securiteam.com/exploits/5PP0D1FC0O.html

---

SQL Injection

A number of signatures are available for SQL Injection, including within the default snort rules. However, these can be bypassed by converting the malicious input into their hex equivalents, or vice versa. The signatures given below are for various levels of paranoia. The simplest among them, of course checks simply for the presence of a single-quote or the double-dash. This may however lead to a number of false positives, depending upon how your website is structured. These signatures are written using Perl-Compatible Regular Expressions. More information on PCRE is available at www.pcre.org

Signature 1 - detects single-quote and double-dash

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII SQL Injection - Paranoid"; flow:to_server,established; pcre:"/(\%27)|(\')|(%2D%2D)|(\-\-)/i"; classtype:web-application-attack; sid:7002; rev:1;)

PCRE is:
/(\%27)|(\')|(%2D%2D)|(\-\-)/i

Signature 2 - detects typical SQL injection attack, such as 1'or some_boolean_expression

PCRE is:
/\w*(\%27)|'(\s|\+)*((\%6F)|o|(\%4F))((\%72)|r|(\%52))/i

Signature 3 - detects use of union - good guarantee of an attack

PCRE is:
/((\%27)|')(\s|\+)*union/i

Signature 4 - detects calling of an MS SQL stored or extended procedures

PCRE is:
/exec(\s|\+)+(s|x)p\w+/i

---

Cross-Site Scripting

Signatures exist for detecting cross-site scripting attacks as well. However, these are too specific and can be easily evaded by using hex equivalents of non-special HTML characters, and reversing the URL encoding of special characters. The signatures given here look out for both ASCII as well as URL-encoded characters, upper and lowe case, or any combination of these. Also, instead of looking for a specific tag such as <SCRIPT> we are looking out for the presence of any HTML tag.

Signature 1 - detects anything sent within angled brackets

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-site scripting attempt"; flow:to_server,established; pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i"; classtype:web-application-attack; sid:7003; rev:1;)

PCRE is:
/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i

Signature 2 - detects javascript embedding using the <img src> tag

PCRE is:
/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/i"