[Snort-sigs] new rule for detect Novell eDirectory iMonitor access

rmkml rmkml at ...324...
Mon Dec 12 01:24:07 EST 2005


please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8008 
(msg:"WEB-MISC Novell eDirectory iMonitor access"; 
flow:to_server,established; uricontent:"/nds/"; 
nocase; reference:bugtraq,14548; reference:cve,2005-2551; 
reference:nessus,12248; reference:osvdb,18703; classtype:web-application-attack; )

Simply detect access to dir nds on iMonitor (8008/tcp).

this rule IS NOT TESTED.

Improve/comments are welcome.


More information about the Snort-sigs mailing list