[Snort-sigs] SID845 update
Andreas.Busch at ...300...
Wed Jan 23 04:36:17 EST 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI AT-admin.cgi
access";flags: A+; uricontent:"/AT-admin.cgi";
nocase;classtype:attempted-recon; sid:845; rev:1;)
Someone tried to access the administration page of your local websites
An attacker might be able to change your wesites searchengine indexing
and/or may access
non-public documenttrees as well as the search-index database could be
Excite is a searchengine which can be included on your own webserver to
index those local
documents. Access to the AT-admin.cgi therefore should be at least password
An attacker sends a HTTP-Request like:
Ease of Attack:
Fairly simple hand-crafting of URLs by the attacker.
Examine the packet to determine what was accessed by the user. If you're
and the access was successful (200 OK), investigate your searchengine and
More information about the Snort-sigs