[Intrusions] Assessing Your Malware Exposure with Snort

[Nick FitzGerald]

Brian to Cory.Bys at fbol.com:

<<snip>>
> > - What is the significance of allowing multiple whitespace with \s*?
> > I have never seen a real-world example where "Host:" was not
> > followed by only one space.
> 
> When I write rules, I try and remove as many potential false negatives
> as possible.  0 or more whitespace characters are allowed.  Some day,
> some where, a web browser might remove whitespace to save in bandwidth
> and your rule would then be broken.

Two observations from CodeRed...

CodeRed uses _no_ spaces -- recall "HOST:www.worm.com" ???

Many CodeRed samples I have seen have had subtle normalizations applied 
to them, most commonly the removal of one of the pair of spaces at 
offset 0x017C and the "correction" of the LF at 0x019C to a CRLF pair 
at 0x019B (as this is a data-only section of the worm this pair of 
changes does not affect its functionality).

The former is by design, but the latter probably occurs because of a 
cautiously standards-compliant transparent proxy or some other gateway 
device "smartly" rewriting the data stream it is processing.

Of course, these are not directly relevant to the specific cases you 
are discussing, but they should be useful data points to keep in mind.


Regards,

Nick FitzGerald