[Snort-sigs] PHPNuke rule

Michael Boman michael.boman at ...267...
Fri Jan 18 04:59:02 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 18 January 2002 20:00, Michael Boman wrote:
> alert TCP $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"PHP-Nuke remote
> loading
>
> of PHP files exploit"; uricontent:"/index.php?file=http"; nocase; dsize:
> >24; flags: A+; classtype:web-application-attack;)
>
> Why dsize: >24 ?
>
> Smallest GET request I could think of is:
>
> GET /?file=http://xx.xx/y
>
> xx.xx = website address.. Minimum no# of char in a domain = 2 + top-domain
> (2) y = script name
>
> Any comments?
>
> Best regards
>  Michael Boman

The vulnerability has Bugtraq ID 3889.

reference:bugtraq, 3889

should be inserted somewhere in the rule.

Best regards
 Michael Boman

- -- 
Michael Boman       Mobile: +65 96942601  750C Chai Chee Road
Security Architect  Phone : +65 243 6800  #04-01
SecureCiRT          Fax   : +65 441 5119  Singapore 469003
http://www.securecirt.com mailto:michael.boman at ...267...

GnuPG: FA4E C6CC B73E 320E 3349  C64F 76CE 5F40 98AB 689C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8SBvfds5fQJiraJwRAqJOAKCU5aMV4AZzZJxP4p07SLgCdbee6QCfSUga
2I9q1pNRmByAwJrAkX/dc+c=
=3KvP
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list