Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

Cisco Secure IDS/NetRanger Custom String Match Signature for Remote

Cisco Secure IDS/NetRanger Custom String Match Signature for Remote

Buffer Overflow in Microsoft Index Server ISAPI Extension in IIS 4.0 and 5.0

You can create the following custom string match to catch the exploitation

of a buffer overflow for web servers running Microsoft Windows NT and

Internet Information Services (IIS) 4.0 or Windows 2000 and IIS 5.0. Note

also that the indexing service in Windows XP beta is also vulnerable.

The security advisory describing this vulnerability is at:

http://www.eeye.com/html/Research/Advisories/AD20010618.html

Microsoft has released a patch for this vulnerability that can be downloaded

from: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

This signature will be included in an upcoming signature update. Cisco

Systems recommends that you upgrade your sensors to 2.2.1.8 or 2.5(1)S2

signature update prior to implementing this

signature. These signature updates are available at:

<http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids.shtml>

***************************************************************

There are 2 specific custom string match signatures to address this issue.

The first signature fires on an attempted buffer overflow on the Indexing

Server ISAPI Extension combined with an attempt to pass shellcode to the

server to gain privileged access. This signature will fire only on the

attempt to pass shellcode to the target service in an attempt to gain full

SYSTEM level access. One possible problem that results is that if the

attacker does not try to pass any shellcode, but just runs the buffer

overflow against the service in an attempt to crash IIS, creating a DoS,

this signature will not fire.

If the customer wants to attempt to identify attackers trying to run the DoS

attack only, a second signature is included. This second signature

addresses the DoS attack only to the extent that it will fire on any attempt

to access the indexing service. If the customer is actively using the

indexing service, this alarm will false positive EVERYTIME the service gets

used and therefore the customer should probably not use this signature. If

the site does not have the index service configured and being used then the

best advice is to use both signatures.

Signature 1

******************************************

Index Server Access with Attempted Exploitation

String:

"[Gg][Ee][Tt].*[.][Ii][Dd][Aa][\x00-\x7f]+[\x80-\xff]"

Occurences:

1

Port:

80

If you have Web servers listening on other TCP ports (e.g., 8080), you will

need to create a separate custom string match for each port number.

Recommended Alarm Severity Level:

High (CSPM)

5 (Unix Director)

Direction:

TO

***************************************************************

Signature 2

******************************************

Index Server Access

String:

"[Gg][Ee][Tt].*[.][Ii][Dd][Aa][?]"

Occurences:

1

Port:

80

If you have Web servers listening on other TCP ports (e.g., 8080), you will

need to create a separate custom string match for each port number.

Recommended Alarm Severity Level:

High (CSPM)

5 (Unix Director)

Direction:

TO

******************************************

Munawar Hossain

IDS Product Manager

Cisco Systems Inc.

(512)378-1212

5 REPLIES
New Member

Re: Cisco Secure IDS/NetRanger Custom String Match Signature for

This is great information! Is the format to create a custom string match documented anywhere? The manual says you can use regular expressions, but doesn't explain what format they are in, what special characters represent, etc.

For example: what does the period outside of the square brackets mean? What does the plus sign mean, etc.? Any insight would be appreciated.

Cisco Employee

Re: Cisco Secure IDS/NetRanger Custom String Match Signature for

In general, the regular expression language is modeled after the one used by PERL. It is not exactly the same and not nearly as complete, but the PERL reference should give you a good place to start.

Cisco Employee

Re: Cisco Secure IDS/NetRanger Custom String Match Signature for

Here is the 'official' regular expression syntax that the CSIDS appliance supports.

(column formatting lost)

Metacharacter Name Description

==========================================================================

? question mark repeat 0 or 1 times

* star, asterisk repeat 0 or more times

+ plus repeat 1 or more times

{x} quantifier repeat exactly x times

{x,} minimum quantifier repeat at least x times

. dot any one character except \r and \n

[abc] character class any character listed

[^abc] negated character class any character NOT listed

[a-z] character range class any character listed inclusively in range

( ) parenthesis used to limit scope of other Metacharacters

^ caret the postition at the start of line

\char escaped character When char is a metacharacter or not, matches the literal char

char character When char is not a metacharacter, matches the literal char

\r carriage return matches carriage return character (0x0D)

\n line feed matches line feed character (0x0A)

\t tab matches tab character (0x09)

\f formfeed matches formfeed character (0x0C)

\xNN escaped hex character matches character with hexadecimal code 0xNN (0<=N<=F)

\NNN escaped octal character matches character with octal code NNN (0<=N<=8)

-Blaine

New Member

Re: Cisco Secure IDS/NetRanger Custom String Match Signature for

Thank you so much for supplying this information. It has been really frustrating trying to do this one on my own (my first). When I look how quickly the open source IDS systems are getting new sig updates (24 hours in some cases), the NetRangers have been frustrating. But y'all came through this time, so thank you very, very much!

Cisco Employee

Re: Cisco Secure IDS/NetRanger Custom String Match Signature for

Thanks, it'll get better with the 3.0 release.

144
Views
0
Helpful
5
Replies
CreatePlease to create content