[Snort-sigs] Avoidance of 1861.7 (WEB-MISC Linksys router default username and password login attempt)

Brian bmc at ...95...
Tue Jul 6 08:00:04 EDT 2004


> I am proposing to convert the authentication clause to PCRE:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 
> (msg:"WEB-MISC Linksys router default username and password login attempt"; 
> flow:to_server,established; content:"YWRtaW46YWRtaW4"; 
> pcre:"/^Authorization\x3a\s*Basic +(?-i)YWRtaW46YWRtaW4/mi"; 
> reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:8;)

yep




More information about the Snort-sigs mailing list