[Snort-sigs] new rule for detect ATutor Sql Injection

rmkml rmkml at ...324...
Thu Dec 8 00:30:02 EST 2005


please check and maybe add this new rule :

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP ATutor Sql Injection attempt"; content:"GET"; nocase; 
depth:3; uricontent:"/include/html/forum.inc.php"; nocase; 
uricontent:"addslashes|3D|system"; nocase; uricontent:"asc|3D|id"; nocase; reference:bugtraq,15221; 
reference:nessus,20095; reference:cve,2005-3403; reference:osvdb,20344; 
classtype:web-application-attack; )

This rule detect acces to forum.inc.php on addslashes().

Improve/comments are welcome.


More information about the Snort-sigs mailing list