[Snort-sigs] FPs on old rule -- WEB-MISC .htpasswd access

Russell Fulton r.fulton at ...575...
Tue Mar 7 12:56:01 EST 2006


Hmmm should this have a uricontent rather than content?

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC .htpasswd access"; flow:to_server,established;
content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071;
rev:6;)


GET /drupal/ HTTP/1.0..Host: malcolmclan.org..User-Agent: Mo
zilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051
010 Firefox/1.0.7 (Ubuntu package 1.0.7)..Accept: text/xml,a
pplication/xml,application/xhtml+xml,text/html;q=0.9,text/pl
ain;q=0.8,image/png,*/*;q=0.5..Accept-Language: en-us,en;q=0
.5..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-
1,utf-8;q=0.7,*;q=0.7..Keep-Alive: 300..Referer: http://www.
malcolmclan.org:2082/frontend/bluehost/fantastico/autoinstal
ldrupaldo.php?submit=Finish+installation&SQLPass=DHxHf%5B1Go
ztl&adminuser=admin&continuepage=autoinstalldrupaldo.php&adm
inemail=malcolmc%40malcolmclan.org&thisapp=Drupal&thismakedb
=drpl2&connect=malcolmc_drpl2&installdir=drupal&mysqldb=malc
olmc_drpl2&mysqluser=malcolmc_drpl2&userrootpath=%2Fhome%2Fm
alcolmc%2Fpublic_html&protectdir=%2Fhome%2Fmalcolmc%2F.htpas <=== here
swds%2Fdrupal%2Fadmin%2F&protected=1&subtitle=&INST_password
=pixie&pause=&language=&sitename=&company=&companyname=&comp
anylocation=&adminfullname=&adminfirstname=&adminlastname=&u
serdata=%2Fhome%2Fmalcolmc%2F.fantasticodata&scriptpath=%2Fh
ome%2Fmalcolmc%2Fpublic_html%2Fdrupal&cgi_bin_scriptpath=%2F
home%2Fmalcolmc%2Fpublic_html%2Fcgi-bin%2Fdrupal&fax=&teleph
one=&address=&copyright=&allowcomments=&articlecount=&articl
ecounthome=&backendtitle=&begindate=&footer=&keywords=&sende
mail=&multilingual=&oldarticlecount=&slogan=&mission=&instal
ldirdomain=malcolmclan.org&index_file_conflict=0..Via: 1.1 p
roxy.bioeng.auckland




More information about the Snort-sigs mailing list