[Snort-sigs] Question about sid: 1002

Brian bmc at ...95...
Thu Apr 3 07:03:53 EST 2003


On Wed, Apr 02, 2003 at 05:13:26PM -0600, Paul Schmehl wrote:
> This rule reads:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
> cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase;
> classtype:web-application-attack; sid:1002;  rev:5;)
> 
> Why is the content "cmd.exe" rather than "cmd.exe?"?
> 
> Same question applies to sid: 1256.  Why "root.exe" instead of
> "root.exe?"?

Because you would not pick up the scanners that just look for cmd.exe

-brian




More information about the Snort-sigs mailing list