[Snort-sigs] Snort Community Rules Update

Sourcefire VRT research at ...435...
Thu Jun 1 13:00:02 EDT 2006


This message is to announce the availability of an update for the 
Sourcefire community rule set, which can be downloaded free of cost or 
registration from http://www.snort.org/pub-bin/downloads.cgi.

New rules in this release are identified as SIDs 100000315-100000316. 
The first rule detects HTTP PUT requests, and sets the http.put flowbit; 
the second rule checks this flowbit and then detects an HTTP 200 
OK-style response. These rules are intended to alert administrators to 
successful, unauthorized PUT requests, which are often used to deface 
improperly configured web servers. Due to the fact that many legitimate 
applications use HTTP PUT requests, these rules are disabled by default; 
users who are considering enabling them should first read the included 
rule documentation.

Additionally, classtypes have been added to all rules which previously 
lacked them, as several users had reported problems with rules that had 
no classtype.

Sourcefire would like to thank David Bianco for submitting the new 
rules. As a reminder, anyone who wishes to submit rules may do so at 
http://www.snort.org/reg-bin/rulesubmit.cgi.

A list of modified rules and their SIDs follows.

Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.

100000315 || COMMUNITY WEB-MISC HTTP PUT Request
100000316 || COMMUNITY WEB-MISC HTTP PUT Request Successful




More information about the Snort-sigs mailing list