[Snort-users] Odd alert on /bin/chmod rule

GJ Philput gjphilput at ...131...
Mon Feb 23 11:27:05 EST 2004


Hello,
I am hoping that someone can shed some light on an
unusual capture that I got from the WEB-ATTACKS chmod
command attempt rule in Snort 2.1.  According to the
rule, this rule should only alert if it finds
/bin/chmod/ in the packet.  I have gotten several
alerts on this rule that are just SYN packets and
don't contain a payload, let alone /bin/chmod/.  Does
anyone know why this might be happening?  I have
included the rule, and the Alert below.  Sensitive
information has been changed to protect the guilty.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt";
flow:to_server,established;
content:"/bin/chmod";nocase; sid:1336;
classtype:web-application-attack; rev:4;)


Generated by ACID x.x.x on Mon, 23 Feb 2004 13:23:13
-0500------------------------------------------------------------------------------#(4
- 19383) [2004-02-22 04:12:17] [snort/1336] 
WEB-ATTACKS chmod command attemptIPv4: xxx.xxx.xxx.xxx
-> xxx.xxx.xxx.xxx      
hlen=5 
TOS=0 
dlen=48 
ID=19428 
flags=0 
offset=0 
TTL=113 
chksum=44886TCP:  
port=2434 -> dport: 1080  
flags=******S* 
seq=3183296326      
ack=0 
off=7 
res=0 
win=64240 
urp=0 
chksum=28387      
Options:       #1 - MSS len=2 data=05B4       
               #2 - NOP len=0       
               #3 - NOP len=0
               #4 - SACKOK len=0
Payload: none

James

__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools




More information about the Snort-users mailing list