[Snort-sigs] new rule for detect Symantec Brightmail Antispam default login

rmkml rmkml at ...324...
Fri Dec 9 01:24:00 EST 2005


please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 41080 
(msg:"WEB-MISC Symantec Brightmail Antispam default login attempt"; flow:to_server,established; content:"GET"; nocase; depth:3; 
uricontent:"/brightmail/viewLogin.do"; nocase; uricontent:"user|3D|admin"; nocase; uricontent:"pass|3D|symantec"; nocase; 
reference:nessus,19598; classtype:web-application-attack; )

This rule detect default acces on web interface with admin/symantec.

Improve/comments are welcome.


More information about the Snort-sigs mailing list