[Snort-sigs] Santy/phpBB rules

M. Shirk shirkdog_list at ...12...
Tue Dec 21 17:02:01 EST 2004


I have updated the two bleeding snort rules and added the third rule based 
on some of the web server logs floating around. Correct them if you see any 
errors and submit them to me or bleedingsnort.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
phpBB Highlighting Code Execution Attempt"; flow:to_server,established; 
uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; 
nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; 
sid:2001457; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
phpBB Highlighting SQL Injection"; flow:to_server,established; 
uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.mysql_query("; nocase; 
reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; 
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
phpBB Highlighting Code Execution - Santy.A Worm"; 
flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.fwrite(fopen("; nocase; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:9999999; 
rev:1;)

Shirkdog
http://www.shirkdog.us

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement





More information about the Snort-sigs mailing list