[Snort-users] more rules...

Brian Caswell bmc at ...312...
Sat Mar 24 02:41:29 EST 2001

add a few \ in there to actually make the previous rule I sent work.

Attached is a number of rules I have been working on tonight.   All of
the rules are HTTP based rules.

Brian Caswell
The MITRE Corporation
-------------- next part --------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav propfind access";   \
   content:"<a\:propfind"; nocase; content:"xmlns\:a=\"DA\V:\">"; nocase; flags: A+;      \

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI aspseek overflow attempt";  \
   content:"/cgi-bin/s.cgi"; nocase; content:"tmpl="; content:"|90 90 90 90 90 90|";      \ 
   flags:A+; reference:bugtraq,2492; )

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS WEBDAV Search DOS attempt"; \
   flags:A+; content:"SEARCH"; nocase; content:"<D\:sql>"; nocase; content:"SELECT";      \
   nocase; content:"DAV\:displayname"; nocase; content:"from.SCOPE("; nocase; dsize:>1000;\

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI ikonboard file disclosure   \ 
   attempt"; flags:A+; content:"/cgi-bin/ikonboard/help.cgi"; nocase; content:"../";      \
   content:"%00"; reference:bugtraq,2471;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI newsdesk directory          \
   traversal attempt"; flags:A+; content:"/cgi-bin/newsdesk.cgi"; nocase; content:"t=";   \
   nocase; content:"../../"; nocase; reference:cve,CAN-2001-0231;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI Brightstation Muscat path   \
   disclosure access"; flags:A+; content:"/cgi-bin/empower"; nocase; content:"DB=";       \
   nocase; reference:cve,CAN-2001-0224; reference:bugtraq,2374;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC WebPALS command attempt";  \
   flags:A+; content:"/pals-cgi"; nocase; content:"documentName="; nocase;                \
   reference:cve,CAN-2001-0216; reference:bugtraq,2372;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC ROADS file disclosure      \
   attempt"; flags:A+; content:"/ROADS/cgi-bin/search.pl"; nocase; content:"form=";       \
   nocase; content:"%00"; reference:cve,CAN-2001-0215; reference:bugtraq,2371;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC way-board file disclosure  \
   attempt"; flags:A+; content:"/way-board/way-board.cgi"; nocase; content:"db="; nocase; \
   content:"%00"; reference:cve,CAN-2001-0214; reference:bugtraq,2370;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI PlanetIntra buffer overflow \
   attempt"; flags:A+; content:"/cgi-bin/pi"; nocase; content:"id=";nocase; dsize:>1000;  \ 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI HIS Auktion directory       \
   traversal attempt"; flags:A+; content:"/cgi-bin/auktion.pl"; nocase; content:"menue="; \
   nocase; content:"../../"; reference:bugtraq,2367; reference:cve,CAN-2001-0212;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI WebSPIRS File Disclosure    \
   attempt"; content:"/cgi-bin/webspirs.cgi"; nocase; content:"sp.nextform=../../";       \
   nocase; flags:A+; reference:bugtraq,2362; reference:cve,CAN-2001-0211;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI commerce.cgi Directory      \
   Traversal attempt"; flags:A+; content:"/commerce.cgi"; nocase; content:"page=../../";  \
   nocase; content:"%00"; reference:bugtraq,2361; reference:cve,CAN-2001-0210;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC OmniHTTPD command Execution\
   attempt"; flags:A+; content:"/cgi-bin/statsconfig.pl"; nocase; content:"%00"; nocase;  \

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC technote main.cgi file     \
   disclosure attempt"; flags:A+; content:"/technote/main.cgi"; nocase;                   \
   content:"filename="; nocase; content:"../../"; reference:cve,CAN-2001-0075;            \

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC technote print.cgi file    \
   disclosure attempt"; flags:A+; content:"/technote/print.cgi"; nocase; content:"board=";\
   nocase; content:"../../"; content:"%00"; reference:cve,CAN-2001-0075;                  \

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC ads.cgi command execution  \
   attempt"; flags:A+; content:"/ads.cgi"; nocase; content:"file="; nocase;               \
   content:"../../"; content:"\|"; reference:cve,CAN-2001-0025; reference:bugtraq,2103;)

More information about the Snort-users mailing list