[Snort-sigs] Sid 1328 and 1329

Joshua Berry jberry at ...2562...
Tue Jul 27 06:12:09 EDT 2004

I know they are two different rules.  What I was pointing out is that
the Messages should be swapped.  The one looking for /bin/ps should be
msg:"WEB-ATTACKS /bin/ps command attempt, and the one looking for ps%20
should be msg:"WEB-ATTACKS ps command attempt".

-----Original Message-----
From: Shomiron Das Gupta [NetMonastery]
[mailto:shomiron at ...2657...] 
Sent: Tuesday, July 27, 2004 12:52 AM
To: Joshua Berry; 'Snort-Sigs (E-mail)'
Subject: RE: [Snort-sigs] Sid 1328 and 1329

Hi Josh,

Well those are two different signatures by iteself.
/bin/ps looks for the /bin/ps command. Whereas ps could also be called
directly in some cases. Hence ps%20 which effectively means the ps
command followed by a space. So if we were checking ps with arguments
like -a -x etc the latter sig will pick it up.


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Joshua
Sent: Monday, July 26, 2004 10:43 PM
To: Snort-Sigs (E-mail)
Subject: [Snort-sigs] Sid 1328 and 1329

Why is 1328 listed as: "WEB-ATTACKS ps command attempt", but then
uricontent is set to: "/bin/ps"

And then 1329 is listed as: "WEB-ATTACKS /bin/ps command attempt", but
then uricontent is set to: "ps%20"

This seems backwards to me.
Josh Berry, CISSP & MCSE 
Information Security
If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked. 
     -- (Former) White House Cybersecurity adviser Richard Clarke 

This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list