[Snort-sigs] SID845 update

Busch, Andreas Andreas.Busch at ...300...
Wed Jan 23 04:36:17 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI AT-admin.cgi
access";flags: A+; uricontent:"/AT-admin.cgi";
nocase;classtype:attempted-recon; sid:845; rev:1;) 


Someone tried to access the administration page of your local websites
Excite searchengine.

An attacker might be able to change your wesites searchengine indexing
and/or may access
non-public documenttrees as well as the search-index database could be
completely deleted.

Detailed Information:
Excite is a searchengine which can be included on your own webserver to
index those local
documents. Access to the AT-admin.cgi therefore should be at least password
and/or location

Attack Scenarios:
An attacker sends a HTTP-Request like:

Ease of Attack:
Fairly simple hand-crafting of URLs by the attacker. 

False Positives:

False Negatives:

Corrective Action:
Examine the packet to determine what was accessed by the user. If you're
running Excite
and the access was successful (200 OK), investigate your searchengine and
server logs.


Additional References:

More information about the Snort-sigs mailing list