[Snort-sigs] PHPNuke rule

Brian (Automail) bmc at ...95...
Fri Jan 18 22:55:01 EST 2002


On Fri, Jan 18, 2002 at 08:00:00PM +0800, Michael Boman wrote:
> alert TCP $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"PHP-Nuke remote loading 
> of PHP files exploit"; uricontent:"/index.php?file=http"; nocase; dsize: 
> >24; flags: A+; classtype:web-application-attack;)
> 
> Why dsize: >24 ?
> Smallest GET request I could think of is:
> 
> GET /?file=http://xx.xx/y

Your signature is false negative.  you require "index.php" but in your example, 
you use /

Also, PHP transparently handles GET/POST.  since it does, you can't expect
"?file=http" in an attempt, only "file=http"

Also, does anyone know if PHP will download things via other protocols?  I 
suspect it will download via FTP as well, but I don't have it installed 
right now.

When I get to a place where I can do a CVS commit, I'll be adding an 
a modified version of this sig in experimental.rules with SID of 1399

-brian




More information about the Snort-sigs mailing list