[Snort-sigs] two new rules for detect Webmin/Usermin null char

rmkml rmkml at ...324...
Mon Sep 4 08:42:52 EDT 2006


Hi,

please check and maybe add this two new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 
(msg:"WEB-MISC Webmin null char attempt"; flow:to_server,established; content:"GET"; nocase; 
depth:3; content:"miniserv.pl"; nocase; distance:1; content:"%00"
; distance:1; reference:bugtraq,19820; reference:nessus,22300; 
classtype:web-application-attack; rev:1; )
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 20000 
(msg:"WEB-MISC Usermin null char attempt"; flow:to_server,established; 
content:"GET"; nocase; depth:3; content:"miniserv.pl"; nocase; distance:1; content:"%00
"; distance:1; reference:bugtraq,19820; reference:nessus,22300; 
classtype:web-application-attack; rev:1; )

Any suggestions and improvements are welcome,

This rule is offered by Crusoe Researches (Team)
http://www.crusoe-researches.com

Regards
Rmkml




More information about the Snort-sigs mailing list