[Snort-users] Fwd: Re: Cisco HTTP Admin IOS attack signature

Dragos Ruiu dr at ...50...
Fri Jun 29 23:23:09 EDT 2001


And since I'm replying to my own mail and thinking outloud the trailing "/exec"
check is wholly redundant and only slows snort down because if you've
seen the level tag before somethings no good for sure , so remove that last
check to get:

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*1[6-9]";  nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:3;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*[2-9][0-9]"; nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100001; rev:3;) 

cheers,
--dr




More information about the Snort-users mailing list