[Snort-sigs] WEB-MISC backup access

Joel Esler jesler at ...435...
Mon Aug 20 09:38:34 EDT 2012

On Aug 20, 2012, at 2:51 AM, yew chuan Ong <yewchuan_23 at ...144...> wrote:

> Appreciate if anyone would like to share the intention of this sig - WEB-MISC backup access. The keyword is pretty weak, and it is disable by default.
> # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; content:"/backup"; nocase; http_uri; classtype:attempted-recon; sid:1213; rev:9;)

It looks for a simple access to the URI /backup on any of your webservers.  This is a generic sig, and, as you mentioned, is not on in the default policy.  (It's actually not in any policies).

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120820/871cfeb9/attachment.html>

More information about the Snort-sigs mailing list