[Snort-sigs] Metasploit - CVE-2012-1823 - Snort Sleeping

James Lay jlay at ...3266...
Fri Apr 26 17:12:12 EDT 2013


On 2013-04-26 15:03, Alex McDonnell wrote:
> Alerts for me, please attach your configuration as Nathan asked.
>
> Alex McDonnell

Doesn't fire for me...here's what I put for variables:

ipvar HOME_NET 192.168.0.0/24
ipvar EXTERNAL_NET any
ipvar DNS_SERVERS 192.168.0.0/24
ipvar SMTP_SERVERS 192.168.0.0/24
ipvar HTTP_SERVERS 192.168.0.0/24
ipvar SQL_SERVERS 192.168.0.0/24
ipvar TELNET_SERVERS 192.168.0.0/24
ipvar SSH_SERVERS 192.168.0.0/24
ipvar FTP_SERVERS 192.168.0.0/24
ipvar SIP_SERVERS 192.168.0.0/24

All three of those are enabled:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; 
flow:to_server,established; content:"auto_prepend_file"; http_uri; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; reference:cve,2012-1823; reference:cve,2012-2311; 
classtype:attempted-admin; sid:22063; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; 
flow:to_server,established; content:".php?"; http_uri; content:"-s"; 
nocase; http_uri; content:!"="; http_raw_uri; 
pcre:"/\x2ephp\x3f\s*-s/Ui"; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; reference:cve,2012-1823; 
reference:cve,2012-2311; classtype:attempted-admin; sid:22064; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; 
flow:to_server,established; content:"-s"; http_uri; content:!"="; 
http_raw_uri; pcre:"/\x3F\s*?-s/Ui"; metadata:service http; 
reference:cve,2012-1823; reference:cve,2012-2311; 
classtype:attempted-admin; sid:22097; rev:5;)


ran with -k none as well.

James





More information about the Snort-sigs mailing list