[Snort-sigs] sid 1003 scenario requested

Chris Green cmg at ...26...
Wed Jan 16 13:20:06 EST 2002


I'm slowly marching through and picking random rules to document but
this is another that is past my ability to see

I kinda ask them as I see them

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
         (msg:"WEB-IIS cmd? acess";flags: A+; content:".cmd?&";
         nocase; \
         classtype:web-application-attack; sid:1003; rev:2;)

I can see having cmd? being vaguley possible but ".cmd?&" ?  What

POST http://www/weee

.cmd?&

access is misspelled too..
-- 
Chris Green <cmg at ...26...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-sigs mailing list