[Snort-sigs] Sig 1147

Jamie Riden jamesr at ...3216...
Fri May 26 05:04:13 EDT 2006


On 26/04/06, BassPlayer <bassplayer at ...549...> wrote:
> After checking the actual exploit here
>
> http://www.securityfocus.com/bid/374/exploit
>
> Wouln't it be better to do
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> cat%20 access"; flow:to_server,established;
> (pcre:"/webdist.cgi.+cat%20/i";)  nocase; reference:bugtraq,374;
> reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)

All of the exploits I can think of off the top of my head would match
something like \.(cgi|pl|php|htm|html)\?.+(cat|id|ls|echo|wget|tftp|ftp|curl)%20
, not counting SQL injection on Windows, which I think is handled via
matching on xp_cmdshell.

Would it be better to combine the various web attack rules into
something like the above - including all the ps/gcc/uname in
web-attacks ? The old ones seemed to cause me an awful lot of false
positives anyway.

cheers,
 Jamie
--
Jamie Riden / jamesr at ...3216... / jamie.riden at ...3217...
"Microsoft: Bringing the world to your desktop - and your desktop to
 the world." -- Peter Gutmann




More information about the Snort-sigs mailing list