[Snort-sigs] new rule for detect TRACE method on smc (solaris mgmt console)

rmkml rmkml at ...324...
Mon Oct 31 03:24:23 EST 2005


please check and add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898 
(msg:"WEB-MISC SMC TRACE access"; flow:to_server,established; 
content:"TRACE"; depth:5; )

This rule detect http TRACE method on tcp port 898 (solaris mgmt console)
"The Solaris Management Console (smc(1M)) is a graphical user interface 
that provides access to Solaris system administration tools which includes 
a web server that runs on port 898. This SMC web server enables the HTTP TRACE 
method by default which may allow a local or remote unprivileged user the ability 
to access sensitive information, such as cookies or authentication data, 
contained in the HTTP headers of an HTTP TRACE request."

Improve are welcome.


More information about the Snort-sigs mailing list