[Snort-sigs] new rule for detect PHP-Nuke admin_styles.php phpbb_root_path access

rmkml rmkml at ...324...
Mon Jan 2 06:45:02 EST 2006


please check and maybe add this new rule :

web-php.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access"; 
flow:to_server,established; content:"GET"; nocase; depth:3; uricontent:"/modules/Forums/admin/admin_styles.php"; 
nocase; uricontent:"phpbb_root_path|3D|"; nocase; reference:osvdb,16244; classtype:web-application-attack; )

I created this rule because receive this request :

This url is strange, because phpbb_root_path param like phpBB,
but admin_styles.php file is phpNuke ...
and Im not find cve id with phpbb and admin_styles.

Improve/comments are welcome.


More information about the Snort-sigs mailing list