[Snort-sigs] New Sid: MISC HP Web JetAdmin ExecuteFile admin access

Matthew Jonkman matt at ...2436...
Wed Aug 4 15:43:03 EDT 2004


Put this up on bleedingsnort as well. As with all of our rules if the 
snort.org folks pick them up we drop them from here. We're a good test 
bed. :)

Only thing I changes was to make the first content into a uricontent. 
Should be more efficient.

Matt

Thomas Alex wrote:

> Message:
> MISC HP Web JetAdmin ExecuteFile admin access
> -- 
> Rule/Signature:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin 
> ExecuteFile admin access"; flow:to_server,established; 
> content:"/plugins/framework/script/content.hts"; nocase; 
> content:"ExecuteFile”; nocase; reference:bugtraq,10224; 
> classtype:attempted-admin; sid:????; rev:1;)




More information about the Snort-sigs mailing list