[Snort-sigs] SID 1221 - musicat empower access

Guise McAllaster guise.mcallaster at ...2420...
Tue Dec 22 10:01:45 EST 2009


Please let me bring our attention to SID 1221 - musicat empower access.
This detects attempted access that results in a path disclosure.  It is also
from 2001.  A few things to note.  From what I can tell, it is not "musicat"
but "muscat".  Next, the rule only looks for uricontent:"empower".    Seems
a little simple, even for VRT.  What about doing a little more to reduce the
false positive?  How about uricontent:"empower?"  or
uricontent:"empower?DB="

Just some thoughts.  As for me, I'm suppressing it since I don't run it and
this rule is old like bottom posting.

Cheers,

Guise
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091222/9e1cca85/attachment.html>


More information about the Snort-sigs mailing list