[Snort-sigs] about the alert 'WEB-CGI abc access' and 'WEB-CGE abc attempt'

Matthew Watchinski mwatchinski at ...435...
Sat Mar 1 14:25:49 EST 2008


comment in line.

Mingming Sun wrote:
> Hi, 
> 
>  
> 
>  
> 
>          I found that there are commonly two similar type of alerts in
> WEB-CGI alerts. One is in the form ‘WEB-CGI abc access’, while the other
> is in the form of ‘WEB-CGI abc attempt’, where abc stands for some exe pl
> or cgi file name. 
> 
>  
> 
>          The detection rules of these two type of alerts differ from each
> other in the fact that the first one detect the name of the executed file,
> that is ‘abc, while the second one detect the ‘abc?’. For my knowledge,
> the first class of alert will be fired when someone want to run the program
> without any parameter, while the second with parameters. 
> 
>  
> 
>          The question is: since the execution of the program without any
> parameter always does not really do anything harmful, why the snort capture
> the behavior and report it? Does the snort think the behavior is a test for
> the existing of the program and the execution of program with parameters
> will follow?
> 
>  

Vulnerability scanners usually test for the existence of files and they
don't
always test to see if the files do anything.  That is why there are
normally two rules,
one that looks for someone doing recon "access" and one that looks for
something
trying to use the file "attempt".

Cheers,
-matt


> 
>          Best wishes!
> 
>  
> 
>  
> 
>  
> Mingming Sun ‘ 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list