[Snort-sigs] 4 new rule for detect Gallery multiple param

rmkml rmkml at ...324...
Tue Dec 13 03:32:01 EST 2005


Hi,

please check and maybe add 4 new rule :

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Gallery g2_itemId access"; content:"GET"; nocase;
depth:3; uricontent:"/main.php"; nocase; uricontent:"g2_itemId|3D|"; 
nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:osvdb,13034; 
classtype:web-application-attack; )

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Gallery g2_return access"; content:"GET"; nocase;
depth:3; uricontent:"/main.php"; nocase; uricontent:"g2_return|3D|"; 
nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:osvdb,13034; 
classtype:web-application-attack; )

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Gallery g2_view access"; content:"GET"; nocase; de
pth:3; uricontent:"/main.php"; nocase; uricontent:"g2_view|3D|"; nocase; 
reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:osvdb,13034; 
classtype:web-application-attack; )

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Gallery g2_subView access"; content:"GET"; nocase;
  depth:3; uricontent:"/main.php"; nocase; uricontent:"g2_subView|3D|"; 
nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:osvdb,13034; 
classtype:web-application-attack; )

this rules IS NOT TESTED.

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list