[Snort-sigs] SID 1359

Anton Chuvakin anton at ...1177...
Thu Apr 17 15:19:04 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-1359.txt,v 1.1 2003/02/18 22:31:30 anton Exp anton $

(msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established;
content:"/bin/ping";nocase; sid:1359;
classtype:web-application-attack; rev:4;)

Sid: 1359

Summary: A web command execution attack involving the use of a
"ping" command

Impact: attacker might have gained an ability to execute system commands
remotely on the system

Detailed Information: This signature triggers when a "ping"
command is used over a plain-text (unencrypted) connection on one of
the specified web ports to the target web server. The "ping"
command may be used to perform information gathering activities. The
signature looks for the "ping" command in the client to web
server network traffic and does not indicate whether the command was
actually successful. The presence of the "ping" command in the
URL indicates that an attacker attempted to trick the web server into
executing system in non-interactive mode i.e. without a valid shell
session. Another case when this signature might trigger is unencrypted
HTTP tunneling connection to the server or a shell connection through
an exploit of the web server.

Attack Scenarios: An attacker uses a "ping" command to
perform anonymous reconnaissance

Ease of Attack: very easy, no exploit software required

False Positives: none known

False Negatives: none known

Corrective Action: check the web server software for vulnerabilities
and possible upgrade the system to the latest version, also
investigate the server for signs of compromise

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:

More information about the Snort-sigs mailing list