[Snort-sigs] new rule for detect MailGust SQL Injection email attempt

rmkml rmkml at ...324...
Thu Dec 15 02:33:01 EST 2005


please check and maybe add this new rule :

web-php.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"WEB-PHP MailGust SQL Injection email attempt"; flow:to_server,
established; uricontent:"method|3D|remind_password"; nocase; 
uricontent:"list|3D|maillistuser"; nocase; uricontent:"email|3D 27|"; 
nocase; reference:bugtraq,14933; reference:cve,2005-3063; 
reference:nessus,19947; classtype:web-application-attack; )

this rule detect posting page contains email and injection ("email='")

Improve/comments are welcome.


More information about the Snort-sigs mailing list