[Snort-sigs] some corrections to rules incorrectly refering to a reference resource not located in etc/reference.config

Sean Wheeler s.wheeler at ...944...
Mon Mar 29 00:54:02 EST 2004


hi,

Below are some corrections to rules incorrectly refering to a reference
resource not located in etc/reference.config

--------------------------------
Following Refer to bugtaq and NOT bugtraq
--------------------------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP
Start Control Request buffer overflow attempt";
flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:2;
content:"|00 01|"; offset:8; depth:2; dsize:>156; reference:bugtaq,5807;
reference:cve,CAN-2002-1214; classtype:attempted-admin; sid:2126; rev:2;)
correction:
alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP
Start Control Request buffer overflow attempt";
flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:2;
content:"|00 01|"; offset:8; depth:2; dsize:>156; reference:bugtraq,5807;
reference:cve,CAN-2002-1214; classtype:attempted-admin; sid:2126; rev:2;)


-------------------------------
Following Refer to bid and NOT bugtraq ( etc/reference.config has no
reference to bid)
--------------------------------

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
MatrikzGB privilege escalation attempt"; flow:to_server,established;
content:"new_rights=admin"; nocase; reference:bid,8430;
classtype:web-application-activity; sid:2331; rev:1;)
correction:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
MatrikzGB privilege escalation attempt"; flow:to_server,established;
content:"new_rights=admin"; nocase; reference:bugtraq,8430;
classtype:web-application-activity; sid:2331; rev:1;)
-------------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
PhpGedView search.php access"; flow:to_server,established;
uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase;
uricontent:"firstname="; nocase; reference:bid,9369;
classtype:web-application-activity; sid:2345; rev:1;)
correction:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
PhpGedView search.php access"; flow:to_server,established;
uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase;
uricontent:"firstname="; nocase; reference:bugtraq,9369;
classtype:web-application-activity; sid:2345; rev:1;)
-------------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
myPHPNuke chatheader.php access"; flow:to_server,established;
uricontent:"/chatheader.php"; nocase; reference:bid,6544;
classtype:web-application-activity; sid:2346; rev:1;)
correction:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
myPHPNuke chatheader.php access"; flow:to_server,established;
uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544;
classtype:web-application-activity; sid:2346; rev:1;)
------------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
myPHPNuke partner.php access"; flow:to_server,established;
uricontent:"/partner.php"; nocase; reference:bid,6544;
classtype:web-application-activity; sid:2347; rev:1;)
correction:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
myPHPNuke partner.php access"; flow:to_server,established;
uricontent:"/partner.php"; nocase; reference:bugtraq,6544;
classtype:web-application-activity; sid:2347; rev:1;)


regards

Sean





More information about the Snort-sigs mailing list