[Snort-sigs] Sig 1147
jamesr at ...3216...
Fri May 26 05:04:13 EDT 2006
On 26/04/06, BassPlayer <bassplayer at ...549...> wrote:
> After checking the actual exploit here
> Wouln't it be better to do
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> cat%20 access"; flow:to_server,established;
> (pcre:"/webdist.cgi.+cat%20/i";) nocase; reference:bugtraq,374;
> reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
All of the exploits I can think of off the top of my head would match
something like \.(cgi|pl|php|htm|html)\?.+(cat|id|ls|echo|wget|tftp|ftp|curl)%20
, not counting SQL injection on Windows, which I think is handled via
matching on xp_cmdshell.
Would it be better to combine the various web attack rules into
something like the above - including all the ps/gcc/uname in
web-attacks ? The old ones seemed to cause me an awful lot of false
Jamie Riden / jamesr at ...3216... / jamie.riden at ...3217...
"Microsoft: Bringing the world to your desktop - and your desktop to
the world." -- Peter Gutmann
More information about the Snort-sigs