[Snort-sigs] Sid 1328 and 1329

Shomiron Das Gupta [NetMonastery] shomiron at ...2657...
Mon Jul 26 22:53:01 EDT 2004

Hi Josh,

Well those are two different signatures by iteself.
/bin/ps looks for the /bin/ps command. Whereas ps could also be called
directly in some cases. Hence ps%20 which effectively means the ps
command followed by a space. So if we were checking ps with arguments
like -a -x etc the latter sig will pick it up.


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Joshua
Sent: Monday, July 26, 2004 10:43 PM
To: Snort-Sigs (E-mail)
Subject: [Snort-sigs] Sid 1328 and 1329

Why is 1328 listed as: "WEB-ATTACKS ps command attempt", but then
uricontent is set to: "/bin/ps"

And then 1329 is listed as: "WEB-ATTACKS /bin/ps command attempt", but
then uricontent is set to: "ps%20"

This seems backwards to me.
Josh Berry, CISSP & MCSE 
Information Security
If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked. 
     -- (Former) White House Cybersecurity adviser Richard Clarke 

This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list