[Snort-sigs] WEB-CGI phf access - SID 886

Guise McAllaster guise.mcallaster at ...2420...
Tue Dec 29 16:25:44 EST 2009


Here is another ancient rule that has some false positive:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
access"; flow:to_server,established; uricontent:"/phf"; nocase;
metadata:service http; reference:arachnids,128; reference:bugtraq,629;
reference:cve,1999-0067; classtype:web-application-activity; sid:886;
rev:12;)

If people still care about this vuln, could we change it to be more robust?
I see it false positive on things like 'GET /foo/bar/PHFDD_user.js'.

Maybe something like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
access"; flow:to_server,established; uricontent:"/phf"; nocase; nocase;
pcre:"/\/phf\/?\?/Ui"; metadata:service http; reference:arachnids,128;
reference:bugtraq,629; reference:cve,1999-0067;
classtype:web-application-activity; sid:886; rev:13;)

Similar simple file access rules could probably be modified in a similar
manner (although I have not looked).

If people don't care about the rule, maybe we could prune it out along with
all exploit specific rules that are over 10 years old.

Thanks.

Guise
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091229/0d1f6cbe/attachment.html>


More information about the Snort-sigs mailing list