[Snort-sigs] sid 1003 scenario requested
cmg at ...26...
Wed Jan 16 13:20:06 EST 2002
I'm slowly marching through and picking random rules to document but
this is another that is past my ability to see
I kinda ask them as I see them
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"WEB-IIS cmd? acess";flags: A+; content:".cmd?&";
classtype:web-application-attack; sid:1003; rev:2;)
I can see having cmd? being vaguley possible but ".cmd?&" ? What
access is misspelled too..
Chris Green <cmg at ...26...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-sigs