[Snort-sigs] WEB-MISC backup access

yew chuan Ong yewchuan_23 at ...144...
Mon Aug 20 21:10:59 EDT 2012

Thanks Joel. =)

 From: Joel Esler <jesler at ...435...>
To: yew chuan Ong <yewchuan_23 at ...144...> 
Cc: "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net> 
Sent: Monday, August 20, 2012 9:38 PM
Subject: Re: [Snort-sigs] WEB-MISC backup access

On Aug 20, 2012, at 2:51 AM, yew chuan Ong <yewchuan_23 at ...144...> wrote:

Appreciate if anyone would like to share the intention of this sig - WEB-MISC backup access. The keyword is pretty weak, and it is disable by default.
># alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; content:"/backup"; nocase; http_uri; classtype:attempted-recon; sid:1213; rev:9;)

It looks for a simple access to the URI /backup on any of your webservers.  This is a generic sig, and, as you mentioned, is not on in the default policy.  (It's actually not in any policies).

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120820/f5429219/attachment.html>

More information about the Snort-sigs mailing list