[Snort-sigs] Some sigs from the peanut gallery...

Erik Fichtner emf at ...4...
Mon Oct 9 15:46:41 EDT 2000

# You know you're owned when you see:
alert tcp $HOME_NET any -> any any (msg: "MISC - id check returned root"; content: "uid=0(root)";)

# sometimes handy for spotting web kiddies..
alert tcp $HOME_NET any -> !$HOME_NET any (msg:"WEB - 403 Forbidden";flags:PA; content:"HTTP/1.1 403";)

# Just spotted this one on bugtraq this morning...
alert tcp any any -> $HOME_NET 80 (msg:"WEB - WebStore Directory Traversal"; content:"web_store.cgi?page=../..";)

And a minor complaint..  the signature:
alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP - Exploitable proftpd 1.2 server running"; content:"proftpd 1.2"; nocase;)

should really be matching "proftpd 1.2.0pre" not "proftpd 1.2".  rc2 is okay! 
(for now, anyway)

Erik Fichtner
Security Administrator, ServerVault, Inc.

More information about the Snort-sigs mailing list