[Snort-sigs] SID 1561 WEB-MISC ?open access
kbjo at ...1893...
Wed Apr 14 05:05:00 EDT 2004
What is this for?
The rule documentation says:
"This event is generated when an attempt is made to compromise a host
running a Web server or a vulnerable application on a web server.
Many known vulnerabilities exist for each implementation and the
attack scenarios are legion.
Some applications do not perform stringent checks when validating the
credentials of a client host connecting to the services offered on a
host server. This can lead to unauthorized access and possibly escalated
privileges to that of the administrator. Data stored on the machine can
be compromised and trust relationships between the victim server and
other hosts can be exploited by the attacker."
I am not sure what is talked about, this seems to general. I was unable
to find out what vulnerabilitie(es) are meant here. There aren't any
"alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
?open access"; flow:to_server,established; uricontent:"?open"; nocase;
classtype:web-application-activity; sid:1561; rev:4;)"
This will fire on anything with an argument starting with "open" no
matter what is opened. I find this extremely general and FP-prone.
E.g. in my own net I observe the following Domino-related statements:
GET /yyyy/zzzz/launcher.nsf?Open HTTP/1.1
But I think this will not be the only type of false positives., so I
think the "False positive"-field shoul not be
"Will fire on anytrhing with ?open in it"
--Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
--kbjo at ...1893... -- t:47 23 14 53 36 -- mob: 901 15 917 --
More information about the Snort-sigs