[Snort-sigs] false positive for WEB-ATTACKS rm command attempt

Joel Esler joel.esler at ...435...
Fri May 26 05:34:17 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DH,

Thanks for your submission, however, we no longer run that rule in
web-attacks.rules  that rule has been moved to deleted.rules.  I suggest
a rule update.

Joel

DH wrote:
> 
> 
>  GEN:SID 1:1365  
> 
>  Message WEB-ATTACKS rm command attempt  
> 
>  Summary Attempted rm command access via web 
> 
>  Impact Attempt to delete files on a webserver.-- 
> 
> False Positives:
> here are some examples of a false positive
>  
> 
>  120 : 72 3D 73 6C 76 31 2D 63 63 6C 65 26 70 3D 75 6E   r=slv1-ccle&p=un
> 130 : 69 66 6F 72 6D 25 32 30 61 63 72 6F 73 73 25 32   iform%20across%2 
> 
>  030 : 74 69 6F 6E 3D 4C 4F 4E 47 25 32 30 54 45 52 4D   tion=LONG%20TERM
> 040 : 25 32 30 44 52 55 47 25 32 30 54 48 45 52 41 50   %20DRUG%20THERAP 
> 
>  030 : 74 69 6F 6E 3D 53 48 4F 52 54 25 32 30 41 52 4D   tion=SHORT%20ARM
> 040 : 25 32 30 53 50 4C 49 4E 54 20 48 54 54 50 2F 31   %20SPLINT HTTP/1 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdvWNKbCSyXHckt4RAjbzAJ9iHiLwKf92pyIi8gHF5o9hj7+npwCfVg0O
bkyouphyJgVFjGUAUP/3t8E=
=Y7Di
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list