[Snort-sigs] Question about sid: 1002

Paul Schmehl pauls at ...1311...
Wed Apr 2 15:22:30 EST 2003


This rule reads:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002;  rev:5;)

Why is the content "cmd.exe" rather than "cmd.exe?"?

Same question applies to sid: 1256.  Why "root.exe" instead of
"root.exe?"?

-- 
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member





More information about the Snort-sigs mailing list