[Snort-sigs] new rule for detect Gallery with PHPNuke index attempt

rmkml rmkml at ...324...
Tue Dec 13 03:39:22 EST 2005


Hi,

please check and maybe add this new rule :

web-php.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"WEB-PHP Gallery with PHPNuke index attempt"; flow:to_server,es
tablished; content:"GET"; nocase; depth:3; uricontent:"/modules.php"; 
nocase; content:"name|3D|gallery"; content:"file|3D|index"; reference:bugtraq,14547; reference:cve,2005-2596; 
reference:nessus,19419; reference:osvdb,18684; classtype:web-application-attack; )

this attempt is already detected by sid 2565 but this rule detect more 
precisely.

this rule IS NOT TESTED.

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list