[Snort-sigs] new rule for detect TRACE method on smc (solaris mgmt console)
rmkml at ...324...
Mon Oct 31 03:24:23 EST 2005
please check and add this new rule :
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898
(msg:"WEB-MISC SMC TRACE access"; flow:to_server,established;
content:"TRACE"; depth:5; )
This rule detect http TRACE method on tcp port 898 (solaris mgmt console)
"The Solaris Management Console (smc(1M)) is a graphical user interface
that provides access to Solaris system administration tools which includes
a web server that runs on port 898. This SMC web server enables the HTTP TRACE
method by default which may allow a local or remote unprivileged user the ability
to access sensitive information, such as cookies or authentication data,
contained in the HTTP headers of an HTTP TRACE request."
Improve are welcome.
More information about the Snort-sigs