[Snort-sigs] namespace collisions on msg:

Chris Green cmg at ...26...
Sun Jan 20 19:40:02 EST 2002


These rules are just specifics of viewcode type things

(msg:"WEB-IIS showcode access";
uricontent:"/SiteServer/Publishing/viewcode.asp"; flags: A+; nocase;
classtype:web-application-activity; sid:1031; rev:2;)

(msg:"WEB-IIS showcode access";
uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; flags:
A+; nocase; classtype:web-application-activity; sid:1032; rev:2;)

(msg:"WEB-IIS showcode access";
uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp";
flags: A+; nocase; classtype:web-application-activity; sid:1033;
rev:2;)

(msg:"WEB-IIS showcode access";
uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp";
flags: A+; nocase; classtype:web-application-activity; sid:1034;
rev:2;)

(msg:"WEB-IIS showcode access";
uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; flags: A+;
nocase; classtype:web-application-activity; sid:1035; rev:2;)

(msg:"WEB-IIS showcode access";
uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; flags: A+;
nocase; classtype:web-application-activity; sid:1036; rev:2;)

(msg:"WEB-IIS showcode.asp access";flags: A+;
uricontent:"/selector/showcode.asp"; nocase;
reference:cve,CAN-1999-0736; classtype:web-application-activity;
sid:1037; rev:2;)

(msg:"WEB-IIS viewcode.asp access"; uricontent:"/viewcode.asp";
nocase; flags:a+; classtype:web-application-activity; sid:1043;
rev:2;)

(msg:"WEB-MISC viewcode.jse access"; flags:A+;
uricontent:"/viewcode.jse"; reference:bugtraq,3715;
classtype:web-application-activity; sid:1389; rev:1;)

reference of:
http://www.securityfocus.com/infocus/1317
http://www.securityfocus.com/bid/167

lists

/iissamples/Exair/Howitworks/Codebrws.asp
/iissamples/Exair/Howitworks/Code.asp
/iissamples/Exair/Howitworks/Codebrw1.asp
/iissamples/sdk/asp/docs/codebrws.asp
/iissamples/sdk/asp/docs/codebrw2.asp
/msadc/Samples/selector/showcode.asp
/Sites/Knowledge/Membership/Inspired/ViewCode.asp
/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp
/Sites/Samples/Knowledge/Membership/Inspired/ViewCode.asp
/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp
/Sites/Samples/Knowledge/Push/ViewCode.asp
/Sites/Samples/Knowledge/Search/ViewCode.asp
/SiteServer/Publishing/viewcode.asp

Lets switch to

uricontent: "viewcode."; nocase;
uricontent: "showcode.asp"; nocase;
and a generic uricontent: "/iissamples"; depth: 11; "IIS Samples
Access"

maybe also a generic
uricontent: "/msadc/samples"; depth: 12;

and

uricontent: "/scripts/samples"; depth: 16;

I figure if its in the same directory, its never good for production
use.
-- 
Chris Green <cmg at ...26...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-sigs mailing list