[Snort-sigs] new rule for detect man2web cmd exec attempt

rmkml rmkml at ...324...
Thu Dec 15 02:31:14 EST 2005


please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC man2web cmd exec attempt"; flow:to_server,established;
content:"GET"; nocase; depth:3; uricontent:"/man2web"; nocase; 
uricontent:"|2D|P"; reference:cve,2005-2812; reference:bugtraq,14747;
reference:nessus,19591; classtype:web-application-attack; )

this rule detect "/man2web?program=-P cmd....".

Improve/comments are welcome.


More information about the Snort-sigs mailing list