[Snort-sigs] Powergap Remote File Inclusion Signatures

Ureleet Ureleet ureleet at ...2420...
Thu Aug 17 17:56:57 EDT 2006


These seemed simple enuff

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY
WEB-PHP powergap remote file Inclusion Exploit s01";
flow:to_server,established; uricontent:"/s01.php|3f|shopid|3d|";
nocase; pcre:"/s01.php\x3fshopid\x3d(http|https|ftp)/Ui";
reference:url,www.powergap-shop.de;
reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY
WEB-PHP powergap remote file Inclusion Exploit s02";
flow:to_server,established; uricontent:"/s02.php|3f|shopid|3d|";
nocase; pcre:"/s02.php\x3fshopid\x3d(http|https|ftp)/Ui";
reference:url,www.powergap-shop.de;
reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY
WEB-PHP powergap remote file Inclusion Exploit s03";
flow:to_server,established; uricontent:"/s03.php|3f|shopid|3d|";
nocase; pcre:"/s03.php\x3fshopid\x3d(http|https|ftp)/Ui";
reference:url,www.powergap-shop.de;
reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY
WEB-PHP powergap remote file Inclusion Exploit s04";
flow:to_server,established; uricontent:"/s04.php|3f|shopid|3d|";
nocase; pcre:"/s04.php\x3fshopid\x3d(http|https|ftp)/Ui";
reference:url,www.powergap-shop.de;
reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html;)

alert tcp $EXTERNAL_NET any -> HOME_NET $HTTP_PORTS (msg:"COMMUNITY
WEB-PHP powergap remote file Inclusion Exploit sid variant";
flow:to_server,established; uricontent:"/sid|3d|"; nocase;
content:"|26|shopid|3d|"; nocase; within:20;
reference:url,www.powergap-shop.de;
reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY
WEB-PHP powergap remote file inclusion exploit sid variant 2";
flow:to_server,established; uricontent:"/sid|3d|"; nocase;
pcre:"/sid\x3d(http|https|ftp)/Ui"; reference
url,www.powergap-shop.de;
reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html;)




More information about the Snort-sigs mailing list