[Snort-sigs] SID 1651

Dan Hanson dhanson at ...113...
Thu Aug 29 14:01:06 EDT 2002


snortrulescurrent-020829/web-cgi.rules:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-CGI enivorn.pl access"; flow:to_server,established;
uricontent:"/enivron.pl"; nocase; classtype:web-application-activity;
sid:1651;  rev:3;)

Seems to me that this rule is in desperate need of a spell checker. As far
as I can tell, there does not exist a perl script archived by google that
answers to the name of "enivorn.pl" or "enivron.pl".

My conclusion is that this SHOULD be environ.pl of which there are
numerous scripts by that name. Is there one in particular that this rule
should be looking for?

--
Dan Hanson
TMS Threat Analyst





More information about the Snort-sigs mailing list