[Snort-sigs] Mistake in rule 2196
ofer at ...2970...
Wed Jan 26 05:20:29 EST 2005
While most of you probably will never encounter an event on rule 2196 It
seems to have a mistake in it:
web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-CGI catgy.cgi access"; flow:to_server,established;
uricontent:"/alert.cgi"; nocase; reference:bugtraq,3714;
reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748;
classtype:web-application-activity; sid:2196; rev:6;)
catgy.cgi is certainly not alert.cgi.
The exploit provided by security focus at also suggests that the write
signature condition is "catgy.cgi":
While checking it I also noticed that the second bugtraq reference, 4579
does not seem to be in place. When investigating it, I found that it is a
very popular reference.
CTO, Breach Security
Tel: +972.9.956.0036 ext.212
ofers at ...2971...
More information about the Snort-sigs