[Snort-sigs] new rule for detect FtpLocate flserv.pl access

rmkml rmkml at ...324...
Tue Dec 13 03:39:02 EST 2005


please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC FtpLocate
flserv.pl access"; flow:to_server,established; content:"GET"; nocase; 
depth:3; uricontent:"/flserv.pl";
nocase; uricontent:"cmd|3D|exec_flsearch"; nocase; 
reference:bugtraq,14367; reference:cve,2005-2420;
reference:nessus,19300; reference:osvdb,18305; 
classtype:web-application-attack; )

Simply to detect access on /flserv.pl uri with cmd=exec_flsearch param.

this rule IS NOT TESTED.

Improve/comments are welcome.


More information about the Snort-sigs mailing list