[Snort-users] My first rule on the way :)
janfrode at ...105...
Tue Jul 25 05:53:28 EDT 2000
after seeing that Max Vision is doing a survey on why so few users have
submitted signatures for the arachNIDS database, I started looking into
writing one for the recent sgi InfoSearch fname Vulnerability
The signature of it is something like:
but the arguments to the cgi-script might come in a different order, so what
I would like to catch is packets with
"GET /cgi-bin/infosrch.cgi?" and then "fname=|".
Is that possible without writing one rule for every combination of the
argument line, or should I just match on "fname=|" within depth=X?
I was thinking of maybe adding a rule to catch all '=|' from the cgiscripts,
that would proably catch a few other cgi-exploits as well (old or new).
More information about the Snort-users