[Snort-sigs] erroneous signatures

Jensenne Roculan jroculan at ...113...
Fri Jun 21 09:25:04 EDT 2002


Hi there,

I noticed a few signatures in snortrules that may need to be fixed.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT
Outlook EML access"; uricontent:".ewl"; flags:A+;
classtype:attempted-admin; sid:1233; rev:5;)

I'm assuming that the uricontent should be changed to .eml instead.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
/~ftp access"; flags:A+; uricontent:"/~root"; nocase;
classtype:attempted-recon; sid:1662;  rev:3;)

I believe the uricontent should be changed to /~ftp. At this time, it is a
duplicate of:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
/~root access"; flags:A+; uricontent:"/~root"; nocase;
classtype:attempted-recon; sid:1145;  rev:6;)

Hope everyone has a great weekend.

Cheers,

Jensenne Roculan
SecurityFocus - http://www.securityfocus.com
(403) 213-3939 ext. 229





More information about the Snort-sigs mailing list