[Snort-sigs] about the alert 'WEB-CGI xxx access' and 'WEB-CGE xxx attempt'

Mingming Sun snortmaillist at ...2420...
Sat Mar 1 09:38:16 EST 2008


Hi, 

 

 

         I found that there are commonly two similar type of alerts in
WEB-CGI alerts. One is in the form ‘WEB-CGI xxx access’, while the other
is in the form of ‘WEB-CGI xxx attempt’, where xxx stands for some exe pl
or cgi file name. 

 

         The detection rules of these two type of alerts differ from each
other in the fact that the first one detect the name of the executed file,
that is ‘xxx’, while the second one detect the ‘xxx?’. For my knowledge,
the first class of alert will be fired when someone want to run the program
without any parameter, while the second with parameters. 

 

         The question is: since the execution of the program without any
parameter always does not really do anything harmful, why the snort capture
the behavior and report it? Does the snort think the behavior is a test for
the existing of the program and the execution of program with parameters
will follow?

 

         Best wishes!

 

 

 
Mingming Sun ‘ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20080301/cacfadeb/attachment.html>


More information about the Snort-sigs mailing list