[Snort-sigs] false msg on sid 860 ?

rmkml rmkml at ...324...
Fri Aug 26 13:09:22 EDT 2005


Hi,

look sid 860 :
  web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
  (msg:"WEB-CGI snork.bat access"; flow:to_server,established;
  uricontent:"/snork.bat"; nocase; reference:arachnids,220;
  reference:bugtraq,1053; reference:cve,2000-0169;
  classtype:attempted-recon; sid:860; rev:8;)

but BID 1053 is :
  http://www.securityfocus.com/bid/1053
  "Oracle Web Listener Batch File Vulnerability"

and cve 2000-0169 :
  Reference: NTBUGTRAQ:20000314 Oracle Web Listener 4.0.x
  Reference: BID:1053
  Reference: XF:oracle-weblistener-remote-attack
  Batch files in the Oracle web listener ows-bin directory allow remote
  attackers to execute commands via a malformed URL that includes '?&'.

false msg:"WEB-CGI snork.bat access" and uricontent:"/snork.bat" ?
or bad BID / cve ?

this oracle vulnerability is on sid 1193

Im found snork.bat on
  http://xforce.iss.net/xforce/xfdb/3875

Regards
Rmkml




More information about the Snort-sigs mailing list