[Snort-sigs] Awstats Remote Code Execution

Chas Tomlin cet at ...2783...
Tue Jan 25 04:50:01 EST 2005


alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Awstats Remote Code
Execution Attempt"; flow: from_client; pcre:"/awstats.pl\?configdir=/i";
classtype:web-application-attack;sid:3000621; rev:1;)

I guess it could use uricontent instead of a pcre.

Chas Tomlin

Systems Administrator/Programmer
Electronics and Computer Science
University of Southampton

More information about the Snort-sigs mailing list