[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-cvs
Subject: [snort-cvs] CVS: snort sid-ref.map,NONE,1.1 dos.rules,1.7,1.8 exploit.rules,1.11,1.12 sid-msg.map,1.
From: Brian Caswell <cazz () users ! sourceforge ! net>
Date: 2001-07-26 18:43:54
[Download RAW message or body]
Update of /cvsroot/snort/snort
In directory usw-pr-cvs1:/tmp/cvs-serv21237
Modified Files:
dos.rules exploit.rules sid-msg.map smtp.rules web-cgi.rules
web-coldfusion.rules web-frontpage.rules web-iis.rules
web-misc.rules
Added Files:
sid-ref.map
Log Message:
* Added SID->reference maps (sid-ref.map)
* Added BIDs to a few zillion rules. Thanks to the guys at SF for the data
***** Error reading new file[Errno 2] No such file or directory: 'sid-ref.map'
Index: dos.rules
===================================================================
RCS file: /cvsroot/snort/snort/dos.rules,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -r1.7 -r1.8
*** dos.rules 2001/06/11 15:29:29 1.7
--- dos.rules 2001/07/26 18:43:51 1.8
***************
*** 13,19 ****
alert tcp $EXTERNAL_NET any <> any any (msg:"DOS NAPTHA"; flags:S; seq: 6060842; \
id: 413; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; \
classtype:attempted-dos; sid:275; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET \
7070 (msg:"DOS Real Audio Server"; flags: A+; content: "|fff4 fffd \
06|";reference:arachnids,411; classtype:attempted-dos; sid:276; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; \
flags: A+; content:"/viewsource/template.html?"; nocase;reference:bugtraq,1288; \
classtype:attempted-dos; sid:277; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; \
flags: A+; content:"/viewsource/template.html?"; nocase;reference:bugtraq,1288; \
classtype:attempted-dos; sid:278; rev:1;)
! alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; \
dsize:0; reference:bugtraq,1009; classtype:attempted-dos; sid:279; rev:1;) alert \
icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath0"; content: "+++ath0"; nocase; \
itype: 8; reference:arachnids,264; classtype:attempted-dos; sid:280; rev:1;) alert \
udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content: "|4e 41 4d 45 \
4e 41 4d 45|"; offset: 25; depth: 50; reference:cve,CVE-1999-0060; \
reference:arachnids,262; classtype:attempted-dos; sid:281; rev:1;)
--- 13,19 ----
alert tcp $EXTERNAL_NET any <> any any (msg:"DOS NAPTHA"; flags:S; seq: 6060842; \
id: 413; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; \
classtype:attempted-dos; sid:275; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET \
7070 (msg:"DOS Real Audio Server"; flags: A+; content: "|fff4 fffd \
06|";reference:arachnids,411; classtype:attempted-dos; sid:276; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; \
flags: A+; content:"/viewsource/template.html?"; nocase; reference:cve,CVE-2000-0474; \
reference:bugtraq,1288; classtype:attempted-dos; sid:277; rev:2;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; \
flags: A+; content:"/viewsource/template.html?"; nocase; reference:cve,CVE-2000-0474; \
reference:bugtraq,1288; classtype:attempted-dos; sid:278; rev:2;)
! alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; \
dsize:0; reference:bugtraq,1009; reference:cve,CVE-2000-0221; \
classtype:attempted-dos; sid:279; rev:2;) alert icmp $EXTERNAL_NET any -> $HOME_NET \
any (msg:"DOS ath0"; content: "+++ath0"; nocase; itype: 8; reference:arachnids,264; \
classtype:attempted-dos; sid:280; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 9 \
(msg:"DOS Ascend Route"; content: "|4e 41 4d 45 4e 41 4d 45|"; offset: 25; depth: 50; \
reference:cve,CVE-1999-0060; reference:arachnids,262; classtype:attempted-dos; \
sid:281; rev:1;)
Index: exploit.rules
===================================================================
RCS file: /cvsroot/snort/snort/exploit.rules,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -r1.11 -r1.12
*** exploit.rules 2001/06/17 00:19:48 1.11
--- exploit.rules 2001/07/26 18:43:51 1.12
***************
*** 24,39 ****
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flags: \
A+; content: "|43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 \
FF FF FF 2F 62 69 6E 2F 73 68 0A|"; reference:bugtraq,1712; \
classtype:attempted-admin; sid:301; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET \
515 (msg:"EXPLOIT redhat 7.0 lprd overflow"; flags: A+; content:"|58 58 58 58 25 2E \
31 37 32 75 25 33 30 30 24 6E|"; classtype:attempted-admin; sid:302; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig infoleak"; \
content: "|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; \
reference:arachnids,482; classtype:attempted-admin; sid:303; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT sco calserver overflow";flags: A+; \
content:"|eb7f 5d55 fe4d 98fe 4d9b|"; classtype:attempted-admin; sid:304; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; \
content: "whois|3a|//"; nocase; flags: A+; dsize: >1000; reference:arachnids,267; \
classtype:attempted-admin; sid:305; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flags: \
A+; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; \
classtype:attempted-admin; sid:306; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET \
any (msg:"EXPLOIT IRC client overflow";flags: A+; content:"|eb 4b 5b 53 32 e4 83 c3 \
0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672; reference:bugtraq,573; \
classtype:attempted-user; sid:307; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT NextFTP client \
overflow";flags: A+; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|"; \
reference:cve,CVE-1999-0671; classtype:attempted-user; sid:308; rev:1;) alert tcp \
$EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT sniffit overflow"; flags: A+; content: \
"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; dsize: >512; \
reference:arachnids,273; classtype:attempted-admin; sid:309; rev:1;)
! alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT x86 windows MailMax \
overflow";flags: A+; content:"|eb45 eb20 5bfc 33c9 b182 8bf3 802b|"; \
reference:cve,CVE-1999-0404; classtype:attempted-admin; sid:310; rev:1;) alert tcp \
$HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT netscape 4.7 unsucessful overflow"; \
content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: A+; \
reference:arachnids,214; classtype:unsuccessful-user; sid:311; rev:1;) alert udp \
$EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize: \
>128; reference:arachnids,492; classtype:attempted-admin; sid:312; rev:1;) alert udp \
> $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 linux overflow"; \
> content:"|0103 0000 0000 0001 0002 02e8|"; classtype:attempted-admin; sid:313; \
> rev:1;)
! alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT BIND Tsig Overflow \
Attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; \
classtype:attempted-admin; sid:314; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET \
635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|5eb0 0289 06fe c889 4604 b006 \
8946|"; reference:cve,CVE-1999-0002; classtype:attempted-admin; sid:315; rev:1;) \
alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd \
overflow"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|"; \
reference:cve,CVE-1999-0002; classtype:attempted-admin; sid:316; \
rev:1;)
--- 24,39 ----
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flags: \
A+; content: "|43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 \
FF FF FF 2F 62 69 6E 2F 73 68 0A|"; reference:bugtraq,1712; \
classtype:attempted-admin; sid:301; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET \
515 (msg:"EXPLOIT redhat 7.0 lprd overflow"; flags: A+; content:"|58 58 58 58 25 2E \
31 37 32 75 25 33 30 30 24 6E|"; classtype:attempted-admin; sid:302; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig infoleak"; \
content: "|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; \
reference:cve,CAN-2000-10; reference:bugtraq,2302; reference:arachnids,482; \
classtype:attempted-admin; sid:303; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET \
6373 (msg:"EXPLOIT sco calserver overflow";flags: A+; content:"|eb7f 5d55 fe4d 98fe \
4d9b|"; classtype:attempted-admin; sid:304; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; content: "whois|3a|//"; \
nocase; flags: A+; dsize: >1000; reference:arachnids,267; classtype:attempted-admin; \
sid:305; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flags: \
A+; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; \
reference:cve,CAN-2000-0766; classtype:attempted-admin; sid:306; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT IRC client overflow";flags: A+; \
content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|"; \
reference:cve,CVE-1999-0672; reference:bugtraq,573; classtype:attempted-user; \
sid:307; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT NextFTP client \
overflow";flags: A+; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|"; \
reference:bugtraq,572; reference:cve,CVE-1999-0671; classtype:attempted-user; \
sid:308; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT sniffit \
overflow"; flags: A+; content: "from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; \
dsize: >512; reference:arachnids,273; classtype:attempted-admin; \
sid:309; rev:1;)
! alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT x86 windows MailMax \
overflow";flags: A+; content:"|eb45 eb20 5bfc 33c9 b182 8bf3 802b|"; \
reference:bugtraq,2312; reference:cve,CVE-1999-0404; classtype:attempted-admin; \
sid:310; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT netscape \
4.7 unsucessful overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 \
50|"; flags: A+; reference:arachnids,214; classtype:unsuccessful-user; sid:311; \
rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow \
attempt"; dsize: >128; reference:arachnids,492; classtype:attempted-admin; sid:312; \
rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 linux \
overflow"; content:"|0103 0000 0000 0001 0002 02e8|"; classtype:attempted-admin; \
sid:313; rev:1;)
! alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT BIND Tsig Overflow \
Attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; \
classtype:attempted-admin; sid:314; rev:2; reference:cve,CAN-2000-10; \
reference:bugtraq,2302;) alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT \
x86 linux mountd overflow"; content:"|5eb0 0289 06fe c889 4604 b006 8946|"; \
reference:cve,CVE-1999-0002; classtype:attempted-admin; sid:315; rev:1;) alert udp \
$EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; \
content:"|eb56 5E56 5656 31d2 8856 0b88 561e|"; reference:cve,CVE-1999-0002; \
classtype:attempted-admin; sid:316; rev:1;)
Index: sid-msg.map
===================================================================
RCS file: /cvsroot/snort/snort/sid-msg.map,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -r1.11 -r1.12
*** sid-msg.map 2001/07/20 12:46:39 1.11
--- sid-msg.map 2001/07/26 18:43:51 1.12
***************
*** 745,749 ****
840 || WEB-CGI perlshop.cgi access
841 || WEB-CGI pfdisplay.cgi access
! 842 || WEB-CGI aglimpse access
843 || WEB-CGI anform2 access
844 || WEB-CGI args.bat access
--- 745,749 ----
840 || WEB-CGI perlshop.cgi access
841 || WEB-CGI pfdisplay.cgi access
! 842 || WEB-CGI aglimpse access || bugtraq,2026 || cve,CVE-1999-0147
843 || WEB-CGI anform2 access
844 || WEB-CGI args.bat access
Index: smtp.rules
===================================================================
RCS file: /cvsroot/snort/snort/smtp.rules,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -r1.6 -r1.7
*** smtp.rules 2001/06/11 15:29:30 1.6
--- smtp.rules 2001/07/26 18:43:51 1.7
***************
*** 13,18 ****
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP majordomo ifs";flags: A+; \
content:"eply-to|3a| a~.`/bin/"; reference:cve,CVE-1999-0208; \
reference:arachnids,143; classtype:attempted-admin; sid:661; rev:1;) alert tcp \
$EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.5.5 exploit";flags: A+; \
content:"mail from|3a20227c|"; nocase; reference:arachnids,119; \
classtype:attempted-admin; sid:662; rev:1;)
! alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.5.8 overflow"; flags: \
A+; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"; \
reference:arachnids,171; reference:cve,CVE-1999-0095; classtype:attempted-admin; \
sid:663; rev:1;)
! alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.6.4 exploit";flags: \
A+; content:"rcpt to|3a| decode"; nocase; reference:arachnids,121; \
classtype:attempted-admin; sid:664; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP 25 \
(msg:"SMTP sendmail 5.6.5 exploit";flags: A+; content:"MAIL \
FROM|3a207c|/usr/ucb/tail"; nocase; reference:arachnids,122; \
classtype:attempted-user; sid:665; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP 25 \
(msg:"SMTP sendmail 8.4.1 exploit";flags: A+; content:"rcpt to|3a207c| sed \
'1,/^$/d'|7c|"; nocase;reference:arachnids,120; classtype:attempted-user; sid:666; \
rev:1;)
--- 13,18 ----
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP majordomo ifs";flags: A+; \
content:"eply-to|3a| a~.`/bin/"; reference:cve,CVE-1999-0208; \
reference:arachnids,143; classtype:attempted-admin; sid:661; rev:1;) alert tcp \
$EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.5.5 exploit";flags: A+; \
content:"mail from|3a20227c|"; nocase; reference:arachnids,119; \
classtype:attempted-admin; sid:662; rev:1;)
! alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.5.8 overflow"; flags: \
A+; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"; \
reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; \
sid:663; rev:1;)
! alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.6.4 exploit";flags: \
A+; content:"rcpt to|3a| decode"; nocase; reference:arachnids,121; \
classtype:attempted-admin; sid:664; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP 25 \
(msg:"SMTP sendmail 5.6.5 exploit";flags: A+; content:"MAIL \
FROM|3a207c|/usr/ucb/tail"; nocase; reference:arachnids,122; \
classtype:attempted-user; sid:665; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP 25 \
(msg:"SMTP sendmail 8.4.1 exploit";flags: A+; content:"rcpt to|3a207c| sed \
'1,/^$/d'|7c|"; nocase;reference:arachnids,120; classtype:attempted-user; sid:666; \
rev:1;)
Index: web-cgi.rules
===================================================================
RCS file: /cvsroot/snort/snort/web-cgi.rules,v
retrieving revision 1.10
retrieving revision 1.11
diff -C2 -r1.10 -r1.11
*** web-cgi.rules 2001/06/11 15:29:30 1.10
--- web-cgi.rules 2001/07/26 18:43:51 1.11
***************
*** 16,22 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webplus version \
access"; flags: A+; uricontent: "/webplus?about "; \
nocase;reference:arachnids,470;classtype:attempted-recon; sid:812; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webplus directory trasversal"; \
flags: A+; uricontent: "/webplus?script"; nocase; content: \
"../";reference:arachnids,471;classtype:attempted-recon; sid:813; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webgais access"; \
flags: A+; uricontent: "/webgais"; \
nocase;reference:arachnids,472;classtype:attempted-recon; sid:814; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI websendmail access"; \
flags: A+; uricontent: "/websendmail"; \
nocase;reference:arachnids,469;classtype:attempted-recon; sid:815; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI windmail access"; \
flags: A+; uricontent: "/windmail.exe?"; nocase; content: \
"-n";reference:arachnids,465;classtype:attempted-recon; sid:816; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI dcforum.cgi invalid user addition \
attempt"; flags:A+; uricontent:"/dcboard.cgi"; content:"command=register"; \
content:"%7cadmin"; classtype:attempted-admin; sid:817; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI dcforum.cgi access"; flags: A+; \
uricontent:"/dcforum.cgi"; flags:a+;classtype:attempted-recon; \
sid:818; rev:1;)
--- 16,20 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webplus version \
access"; flags: A+; uricontent: "/webplus?about "; \
nocase;reference:arachnids,470;classtype:attempted-recon; sid:812; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webplus directory trasversal"; \
flags: A+; uricontent: "/webplus?script"; nocase; content: \
"../";reference:arachnids,471;classtype:attempted-recon; sid:813; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI websendmail access"; \
flags: A+; uricontent: "/websendmail"; nocase; reference:cve,CVE-1999-0196; \
reference:arachnids,469; reference:bugtraq,2077; classtype:attempted-recon; sid:815; \
rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI dcforum.cgi \
invalid user addition attempt"; flags:A+; uricontent:"/dcboard.cgi"; \
content:"command=register"; content:"%7cadmin"; classtype:attempted-admin; sid:817; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI dcforum.cgi \
access"; flags: A+; uricontent:"/dcforum.cgi"; flags:a+;classtype:attempted-recon; \
sid:818; rev:1;)
***************
*** 24,63 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI anaconda directory \
transversal attempt"; flags: A+; uricontent:"/apexec.pl"; content:"template=../"; \
nocase; reference:cve,CVE-2000-0975; \
reference:bugtraq,2388;classtype:attempted-recon; sid:820; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI imagemap overflow attempt"; \
dsize: >1000; flags: A; uricontent: "/imagemap.exe?"; depth: 32; nocase; \
reference:arachnids,412;classtype:attempted-recon; sid:821; rev:1;)
- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI infosearch fname"; \
flags: A+; uricontent: \
"fname=|7c|";reference:arachnids,290;classtype:attempted-recon; sid:822; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI cvsweb.cgi access"; \
flags: A+; uricontent:"/cvsweb.cgi"; nocase; reference:cve,CVE-2000-0670; \
reference:bugtraq,1469;classtype:attempted-recon; sid:823; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI php access";flags: A+; \
uricontent:"/php.cgi"; nocase; reference:arachnids,232;classtype:attempted-recon; \
sid:824; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI \
glimpse access";flags: A+; uricontent:"/glimpse"; nocase;classtype:attempted-recon; \
sid:825; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI htmlscript \
access";flags: A+; uricontent:"/htmlscript"; nocase; \
reference:cve,CVE-1999-0264;classtype:attempted-recon; sid:826; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI info2www \
access";flags: A+; uricontent:"/info2www"; nocase; \
reference:cve,CVE-1999-0266;classtype:attempted-recon; sid:827; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI maillist.pl access";flags: A+; \
uricontent:"/maillist.pl"; nocase;classtype:attempted-recon; sid:828; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI nph-test-cgi access";flags: \
A+; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; \
reference:cve,CVE-1999-0045;classtype:attempted-recon; sid:829; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI NPH-publish access";flags: A+; \
uricontent:"/nph-publish"; nocase;classtype:attempted-recon; sid:830; \
rev:1;)
- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI websendmail \
access";flags: A+; uricontent:"/websendmail"; nocase; \
reference:cve,CVE-1999-0196;classtype:attempted-recon; sid:831; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI perl.exe access";flags: A+; \
uricontent:"/perl.exe"; nocase; reference:arachnids,219;classtype:attempted-recon; \
sid:832; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI rguest.exe \
access";flags: A+; uricontent:"/rguest.exe"; nocase; \
reference:cve,CAN-1999-0467;classtype:attempted-recon; sid:833; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI rwwwshell.pl access";flags: A+; \
uricontent:"/rwwwshell.pl"; nocase;classtype:attempted-recon; sid:834; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI test-cgi access"; flags: A+; \
uricontent:"/test-cgi"; nocase; reference:cve,CVE-1999-0070; \
reference:arachnids,218;classtype:attempted-recon; sid:835; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI testcounter.pl access";flags: A+; \
uricontent:"/textcounter.pl"; nocase;classtype:attempted-recon; sid:836; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI uploader.exe \
access";flags: A+; uricontent:"/uploader.exe"; \
nocase;reference:cve,CVE-1999-0177;classtype:attempted-recon; \
sid:837; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webgais \
access";flags: A+; uricontent:"/webgais"; nocase; \
reference:cve,CVE-1999-0176;classtype:attempted-recon; sid:838; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI finger access"; flags: A+; \
uricontent:"/finger"; nocase; reference:arachnids,221; \
reference:cve,CVE-1999-0612;classtype:attempted-recon; sid:839; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI perlshop.cgi access";flags: A+; \
uricontent:"/perlshop.cgi"; nocase;classtype:attempted-recon; \
sid:840; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI pfdisplay.cgi \
access";flags: A+; uricontent:"/pfdisplay.cgi"; nocase; \
reference:cve,CVE-1999-0270;classtype:attempted-recon; sid:841; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI aglimpse \
access";flags: A+; uricontent:"/aglimpse"; nocase; \
reference:cve,CVE-1999-0147;classtype:attempted-recon; sid:842; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI anform2 access";flags: A+; \
uricontent:"/AnForm2"; nocase; reference:cve,CVE-1999-0066; \
reference:arachnids,225;classtype:attempted-recon; sid:843; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI args.bat access";flags: A+; \
uricontent:"/args.bat"; nocase;classtype:attempted-recon; sid:844; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI AT-admin.cgi access";flags: A+; \
uricontent:"/AT-admin.cgi"; nocase;classtype:attempted-recon; sid:845; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI bnbform.cgi access";flags: \
A+; uricontent:"/bnbform.cgi"; nocase; \
reference:cve,CVE-1999-0937;classtype:attempted-recon; sid:846; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI campas access";flags: \
A+; uricontent:"/campas"; nocase; \
reference:cve,CVE-1999-0146;classtype:attempted-recon; sid:847; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source directory \
traversal";flags: A+; uricontent:"/view-source"; nocase; content:"../"; nocase; \
reference:cve,CVE-1999-0174;classtype:attempted-recon; sid:848; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source access";flags: A+; \
uricontent:"/view-source"; nocase; \
reference:cve,CVE-1999-0174;classtype:attempted-recon; sid:849; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wais.p access";flags: A+; \
uricontent:"/wais.pl";nocase;classtype:attempted-recon; sid:850; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI files.pl access";flags: A+; \
uricontent:"/files.pl"; nocase;classtype:attempted-recon; sid:851; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wguest.exe \
access";flags: A+; uricontent:"/wguest.exe"; nocase; \
reference:cve,CAN-1999-0467;classtype:attempted-recon; sid:852; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wrap access"; flags: A+; \
uricontent: "/wrap";reference:arachnids,234; \
reference:cve,CVE-1999-0149;classtype:attempted-recon; sid:853; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI classifieds.cgi access";flags: \
A+; uricontent:"/classifieds.cgi"; \
nocase;reference:cve,CVE-1999-0934;classtype:attempted-recon; sid:854; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access";flags: A+; \
uricontent:"/edit.pl"; nocase;classtype:attempted-recon; sid:855; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI environ.cgi access";flags: A+; \
uricontent:"/environ.cgi"; nocase;classtype:attempted-recon; sid:856; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI faxsurvey access"; \
flags: A+; uricontent:"/faxsurvey"; nocase; \
reference:cve,CVE-1999-0262;classtype:attempted-recon; sid:857; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI filemail access";flags: A+; \
uricontent:"/filemail.pl"; nocase;classtype:attempted-recon; sid:858; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI man.sh access";flags: A+; \
uricontent:"/man.sh"; nocase;classtype:attempted-recon; sid:859; \
rev:1;)
--- 22,59 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI anaconda directory \
transversal attempt"; flags: A+; uricontent:"/apexec.pl"; content:"template=../"; \
nocase; reference:cve,CVE-2000-0975; \
reference:bugtraq,2388;classtype:attempted-recon; sid:820; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI imagemap overflow attempt"; \
dsize: >1000; flags: A; uricontent: "/imagemap.exe?"; depth: 32; nocase; \
reference:arachnids,412;classtype:attempted-recon; sid:821; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI cvsweb.cgi access"; flags: A+; \
uricontent:"/cvsweb.cgi"; nocase; reference:cve,CVE-2000-0670; \
reference:bugtraq,1469;classtype:attempted-recon; sid:823; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI php access";flags: A+; \
uricontent:"/php.cgi"; nocase; reference:arachnids,232;classtype:attempted-recon; \
sid:824; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI \
glimpse access";flags: A+; uricontent:"/glimpse"; nocase;classtype:attempted-recon; \
sid:825; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI htmlscript \
access";flags: A+; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; \
reference:cve,CVE-1999-0264; classtype:attempted-recon; sid:826; \
rev:2;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI info2www \
access";flags: A+; uricontent:"/info2www"; nocase; reference:bugtraq,1995; \
reference:cve,CVE-1999-0266; classtype:attempted-recon; sid:827; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI maillist.pl access";flags: A+; \
uricontent:"/maillist.pl"; nocase;classtype:attempted-recon; sid:828; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI nph-test-cgi access";flags: \
A+; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; \
reference:cve,CVE-1999-0045;classtype:attempted-recon; sid:829; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI NPH-publish access";flags: A+; \
uricontent:"/nph-publish"; nocase;classtype:attempted-recon; sid:830; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI perl.exe access";flags: A+; \
uricontent:"/perl.exe"; nocase; reference:arachnids,219;classtype:attempted-recon; \
sid:832; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI rguest.exe \
access";flags: A+; uricontent:"/rguest.exe"; nocase; reference:cve,CAN-1999-0467; \
reference:bugtraq,2024; classtype:attempted-recon; sid:833; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI rwwwshell.pl access";flags: A+; \
uricontent:"/rwwwshell.pl"; nocase;classtype:attempted-recon; sid:834; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI test-cgi access"; flags: A+; \
uricontent:"/test-cgi"; nocase; reference:cve,CVE-1999-0070; \
reference:arachnids,218;classtype:attempted-recon; sid:835; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI testcounter.pl access";flags: A+; \
uricontent:"/textcounter.pl"; nocase;classtype:attempted-recon; sid:836; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI uploader.exe \
access";flags: A+; uricontent:"/uploader.exe"; \
nocase;reference:cve,CVE-1999-0177;classtype:attempted-recon; \
sid:837; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webgais \
access";flags: A+; uricontent:"/webgais"; nocase; reference:arachnids,472; \
reference:bugtraq,2058; reference:cve,CVE-1999-0176;classtype:attempted-recon; \
sid:838; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI \
finger access"; flags: A+; uricontent:"/finger"; nocase; reference:arachnids,221; \
reference:cve,CVE-1999-0612;classtype:attempted-recon; sid:839; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI perlshop.cgi access";flags: A+; \
uricontent:"/perlshop.cgi"; nocase;classtype:attempted-recon; \
sid:840; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI pfdisplay.cgi \
access";flags: A+; uricontent:"/pfdisplay.cgi"; nocase; reference:bugtraq,64; \
reference:cve,CVE-1999-0270;classtype:attempted-recon; sid:841; \
rev:2;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI aglimpse \
access";flags: A+; uricontent:"/aglimpse"; nocase; reference:cve,CVE-1999-0147; \
reference:bugtraq,2026; classtype:attempted-recon; sid:842; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI anform2 access";flags: A+; \
uricontent:"/AnForm2"; nocase; reference:cve,CVE-1999-0066; \
reference:arachnids,225;classtype:attempted-recon; sid:843; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI args.bat access";flags: A+; \
uricontent:"/args.bat"; nocase;classtype:attempted-recon; sid:844; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI AT-admin.cgi access";flags: A+; \
uricontent:"/AT-admin.cgi"; nocase;classtype:attempted-recon; sid:845; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI bnbform.cgi access";flags: \
A+; uricontent:"/bnbform.cgi"; nocase; \
reference:cve,CVE-1999-0937;classtype:attempted-recon; sid:846; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI campas access";flags: \
A+; uricontent:"/campas"; nocase; reference:cve,CVE-1999-0146; \
reference:bugtraq,1975; classtype:attempted-recon; sid:847; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source directory \
traversal";flags: A+; uricontent:"/view-source"; nocase; content:"../"; nocase; \
reference:cve,CVE-1999-0174;classtype:attempted-recon; sid:848; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source access";flags: A+; \
uricontent:"/view-source"; nocase; \
reference:cve,CVE-1999-0174;classtype:attempted-recon; sid:849; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wais.p access";flags: A+; \
uricontent:"/wais.pl";nocase;classtype:attempted-recon; sid:850; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI files.pl access";flags: A+; \
uricontent:"/files.pl"; nocase;classtype:attempted-recon; sid:851; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wguest.exe \
access";flags: A+; uricontent:"/wguest.exe"; nocase; reference:cve,CAN-1999-0467; \
reference:bugtraq,2024; classtype:attempted-recon; sid:852; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wrap access"; flags: A+; \
uricontent: "/wrap";reference:arachnids,234; \
reference:cve,CVE-1999-0149;classtype:attempted-recon; sid:853; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI classifieds.cgi access";flags: \
A+; uricontent:"/classifieds.cgi"; \
nocase;reference:cve,CVE-1999-0934;classtype:attempted-recon; sid:854; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access";flags: A+; \
uricontent:"/edit.pl"; nocase;classtype:attempted-recon; sid:855; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI environ.cgi access";flags: A+; \
uricontent:"/environ.cgi"; nocase;classtype:attempted-recon; sid:856; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI faxsurvey access"; \
flags: A+; uricontent:"/faxsurvey"; nocase; reference:cve,CVE-1999-0262; \
reference:bugtraq,2056; classtype:attempted-recon; sid:857; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI filemail access";flags: A+; \
uricontent:"/filemail.pl"; nocase;classtype:attempted-recon; sid:858; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI man.sh access";flags: A+; \
uricontent:"/man.sh"; nocase;classtype:attempted-recon; sid:859; \
rev:1;)
***************
*** 75,81 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI survey.cgi \
access";flags: A+; uricontent:"/survey.cgi"; nocase; \
reference:cve,CVE-1999-0936;classtype:attempted-recon; sid:871; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI tsch access";flags: A+; \
uricontent:"/tcsh"; nocase; reference:cve,CAN-1999-0509;classtype:attempted-recon; \
sid:872; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI scriptalias access"; \
flags: A+; uricontent: "///"; reference:cve,CVE-1999-0236; \
reference:arachnids,227;classtype:attempted-recon; sid:873; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI w3-msql solaris x86 access"; \
flags: A+; uricontent: "/bin/shA-cA/usr/openwin"; nocase; \
reference:cve,CVE-1999-0276; reference:arachnids,211;classtype:attempted-recon; \
sid:874; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI win-c-sample.exe \
access"; flags: A+; uricontent: "/win-c-sample.exe"; nocase; \
reference:arachnids,231; reference:cve,CVE-1999-0178;classtype:attempted-recon; \
sid:875; rev:1;) alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-CGI \
bugzilla 2.8 exploit "; flags: A+; content: "blaat@blaat.com"; nocase; \
reference:arachnids,276;classtype:attempted-user; sid:876; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI rksh access";flags: A+; \
uricontent:"/rksh"; nocase; reference:cve,CAN-1999-0509; classtype:attempted-recon; \
sid:877; rev:1;)
--- 71,77 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI survey.cgi \
access";flags: A+; uricontent:"/survey.cgi"; nocase; \
reference:cve,CVE-1999-0936;classtype:attempted-recon; sid:871; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI tsch access";flags: A+; \
uricontent:"/tcsh"; nocase; reference:cve,CAN-1999-0509;classtype:attempted-recon; \
sid:872; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI scriptalias access"; \
flags: A+; uricontent: "///"; reference:cve,CVE-1999-0236; reference:bugtraq,2300; \
reference:arachnids,227; classtype:attempted-recon; sid:873; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI w3-msql solaris x86 access"; \
flags: A+; uricontent: "/bin/shA-cA/usr/openwin"; nocase; \
reference:cve,CVE-1999-0276; reference:arachnids,211;classtype:attempted-recon; \
sid:874; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI win-c-sample.exe \
access"; flags: A+; uricontent: "/win-c-sample.exe"; nocase; reference:bugtraq,2078; \
reference:arachnids,231; reference:cve,CVE-1999-0178;classtype:attempted-recon; \
sid:875; rev:2;) alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-CGI \
bugzilla 2.8 exploit "; flags: A+; content: "blaat@blaat.com"; nocase; \
reference:arachnids,276;classtype:attempted-user; sid:876; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI rksh access";flags: A+; \
uricontent:"/rksh"; nocase; reference:cve,CAN-1999-0509; classtype:attempted-recon; \
sid:877; rev:1;)
***************
*** 97,101 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI MachineInfo \
access";flags: A+; uricontent:"/MachineInfo"; nocase; classtype:attempted-recon; \
sid:893; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI \
bb-hist.sh access";flags: A+; uricontent:"/bb-hist.sh"; nocase; \
reference:bugtraq,142; classtype:attempted-recon; sid:894; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI redirect \
access";flags: A+; uricontent:"/redirect"; nocase;reference:bugtraq,1179; \
classtype:attempted-recon; sid:895; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-CGI wayboard access"; uricontent:"/way-board"; nocase; \
flags:A+; reference:bugtraq,2370; classtype:attempted-recon; sid:896; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI pals-cgi access"; \
uricontent:"/pals-cgi"; nocase; flags:A+; reference:cve,CAN-2001-0216; \
classtype:attempted-recon; sid:897; rev:1;)
--- 93,97 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI MachineInfo \
access";flags: A+; uricontent:"/MachineInfo"; nocase; classtype:attempted-recon; \
sid:893; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI \
bb-hist.sh access";flags: A+; uricontent:"/bb-hist.sh"; nocase; \
reference:bugtraq,142; classtype:attempted-recon; sid:894; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI redirect \
access";flags: A+; uricontent:"/redirect"; nocase;reference:bugtraq,1179; \
reference:cve,CVE-2000-0382; classtype:attempted-recon; sid:895; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wayboard access"; \
uricontent:"/way-board"; nocase; flags:A+; reference:bugtraq,2370; \
classtype:attempted-recon; sid:896; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-CGI pals-cgi access"; uricontent:"/pals-cgi"; nocase; \
flags:A+; reference:cve,CAN-2001-0216; classtype:attempted-recon; sid:897; rev:1;)
Index: web-coldfusion.rules
===================================================================
RCS file: /cvsroot/snort/snort/web-coldfusion.rules,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -r1.6 -r1.7
*** web-coldfusion.rules 2001/06/11 15:29:30 1.6
--- web-coldfusion.rules 2001/07/26 18:43:51 1.7
***************
*** 5,9 ****
#
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-COLDFUSION cfcache.map \
access";flags: A+; uricontent:"/cfcache.map"; nocase; classtype:attempted-recon; \
sid:903; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"WEB-COLDFUSION exampleapp application.cfm";flags: A+; \
uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase;reference:bugtraq,1021; \
classtype:attempted-recon; sid:904; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-COLDFUSION application.cfm access";flags: A+; \
uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; \
nocase;reference:bugtraq,1021; classtype:attempted-recon; sid:905; \
rev:1;)
--- 5,9 ----
#
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-COLDFUSION cfcache.map \
access";flags: A+; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; \
reference:cve,CVE-2000-0057; classtype:attempted-recon; sid:903; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-COLDFUSION exampleapp \
application.cfm";flags: A+; uricontent:"/cfdocs/exampleapp/email/application.cfm"; \
nocase;reference:bugtraq,1021; classtype:attempted-recon; sid:904; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-COLDFUSION application.cfm \
access";flags: A+; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; \
nocase;reference:bugtraq,1021; classtype:attempted-recon; sid:905; rev:1;)
Index: web-frontpage.rules
===================================================================
RCS file: /cvsroot/snort/snort/web-frontpage.rules,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -r1.6 -r1.7
*** web-frontpage.rules 2001/06/28 12:47:26 1.6
--- web-frontpage.rules 2001/07/26 18:43:51 1.7
***************
*** 24,28 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE authors.pwd \
access";flags: A+; uricontent:"/authors.pwd"; nocase; classtype:attempted-recon; \
sid:951; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
author.exe access";flags: A+; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; \
classtype:attempted-recon; sid:952; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
administrators.pwd";flags: A+; uricontent:"/administrators.pwd"; \
nocase;reference:bugtraq,1205; classtype:attempted-recon; sid:953; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE form_results.htm \
access";flags: A+; uricontent:"/_private/form_results.htm"; nocase; \
classtype:attempted-recon; sid:954; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE access.cnf access";flags: A+; \
uricontent:"/_vti_pvt/access.cnf"; nocase; classtype:attempted-recon; sid:955; \
rev:1;)
--- 24,28 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE authors.pwd \
access";flags: A+; uricontent:"/authors.pwd"; nocase; classtype:attempted-recon; \
sid:951; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
author.exe access";flags: A+; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; \
classtype:attempted-recon; sid:952; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
administrators.pwd";flags: A+; uricontent:"/administrators.pwd"; nocase; \
reference:bugtraq,1205; classtype:attempted-recon; sid:953; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE form_results.htm \
access";flags: A+; uricontent:"/_private/form_results.htm"; nocase; \
classtype:attempted-recon; sid:954; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE access.cnf access";flags: A+; \
uricontent:"/_vti_pvt/access.cnf"; nocase; classtype:attempted-recon; sid:955; \
rev:1;)
Index: web-iis.rules
===================================================================
RCS file: /cvsroot/snort/snort/web-iis.rules,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -r1.14 -r1.15
*** web-iis.rules 2001/07/20 12:46:39 1.14
--- web-iis.rules 2001/07/26 18:43:51 1.15
***************
*** 11,21 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; \
uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; \
classtype:attempted-admin; reference:cve,CAN-2000-0071; sid:1244; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq access"; \
uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; \
classtype:attempted-recon; reference:cve,CAN-2000-0071; sid:1245; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp \
access";flags: A+; uricontent:"%2e.asp"; nocase; reference:cve,CAN-1999-0253; \
classtype:attempted-recon; sid:972; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc attempt";flags: \
A+; content:"*.idc"; nocase; reference:cve,CVE-1999-0874; classtype:attempted-recon; \
sid:973; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ..\.. access";flags: \
A+; content:"|2e2e5c2e2e|"; reference:cve,CAN-1999-0229; classtype:attempted-recon; \
sid:974; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .asp$data \
access";flags: A+; uricontent:".asp|3a3a|$data"; nocase; reference:cve,CVE-1999-0278; \
classtype:attempted-recon; sid:975; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .bat? access";flags: \
A+; uricontent:".bat?&"; nocase; reference:cve,CVE-1999-0233; \
classtype:attempted-recon; sid:976; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS .cnf access"; content:".cnf"; nocase; flags:a+; \
classtype:attempted-recon; sid:977; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP contents view"; \
flags: A+; content:"%20&CiRestriction=none&CiHiliteType=Full";reference:bugtraq,1084; \
classtype:attempted-recon; sid:978; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS ASP contents view"; flags: A+; \
uricontent:"/null.htw?CiWebHitsFile"; reference:bugtraq,1861; \
classtype:attempted-recon; sid:979; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS CGImail.exe access";flags: A+; \
uricontent:"/scripts/CGImail.exe"; nocase; reference:cve,CAN-2000-0726; \
reference:bugtraq,1623; classtype:attempted-recon; sid:980; rev:1;)
--- 11,21 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; \
uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; \
classtype:attempted-admin; reference:cve,CAN-2000-0071; sid:1244; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq access"; \
uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; \
classtype:attempted-recon; reference:cve,CAN-2000-0071; sid:1245; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp \
access";flags: A+; uricontent:"%2e.asp"; nocase; reference:bugtraq,1814; \
reference:cve,CAN-1999-0253; classtype:attempted-recon; sid:972; \
rev:2;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc attempt";flags: \
A+; content:"*.idc"; nocase; reference:bugtraq,1448; reference:cve,CVE-1999-0874; \
classtype:attempted-recon; sid:973; rev:2;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ..\.. access";flags: \
A+; content:"|2e2e5c2e2e|"; reference:bugtraq,2218; reference:cve,CAN-1999-0229; \
classtype:attempted-recon; sid:974; rev:2;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .asp$data \
access";flags: A+; uricontent:".asp|3a3a|$data"; nocase; reference:bugtraq,140; \
reference:cve,CVE-1999-0278; classtype:attempted-recon; sid:975; \
rev:2;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .bat? access";flags: \
A+; uricontent:".bat?&"; nocase; reference:bugtraq,2023; reference:cve,CVE-1999-0233; \
classtype:attempted-recon; sid:976; rev:2;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS .cnf access"; content:".cnf"; nocase; flags:a+; \
classtype:attempted-recon; sid:977; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP contents view"; \
flags: A+; content:"%20&CiRestriction=none&CiHiliteType=Full"; \
reference:cve,CAN-2000-0302; reference:bugtraq,1084; classtype:attempted-recon; \
sid:978; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP \
contents view"; flags: A+; uricontent:"/null.htw?CiWebHitsFile"; \
reference:bugtraq,1861; classtype:attempted-recon; sid:979; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CGImail.exe access";flags: A+; \
uricontent:"/scripts/CGImail.exe"; nocase; reference:cve,CAN-2000-0726; \
reference:bugtraq,1623; classtype:attempted-recon; sid:980; rev:1;)
***************
*** 23,27 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File permission \
canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags: A+; nocase; \
classtype:attempted-admin; sid:982; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS File permission canonicalization"; \
uricontent:"/scripts/..%c1%9c../"; flags: A+; nocase; classtype:attempted-admin; \
sid:983; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET VBA \
access";flags: A+; uricontent:"/scripts/samples/ctguestb.idc"; nocase; \
reference:bugtraq,286; reference:cve,CVE-1999-0874; classtype:attempted-recon; \
sid:984; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET \
VBA access";flags: A+; uricontent:"/scripts/samples/details.idc"; nocase; \
reference:bugtraq,286; reference:cve,CVE-1999-0874; classtype:attempted-recon; \
sid:985; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
MSProxy access";flags: A+; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; \
classtype:attempted-recon; sid:986; rev:1;)
--- 23,27 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File permission \
canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags: A+; nocase; \
classtype:attempted-admin; sid:982; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS File permission canonicalization"; \
uricontent:"/scripts/..%c1%9c../"; flags: A+; nocase; classtype:attempted-admin; \
sid:983; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET VBA \
access";flags: A+; uricontent:"/scripts/samples/ctguestb.idc"; nocase; \
reference:bugtraq,307; reference:cve,CVE-1999-0874; classtype:attempted-recon; \
sid:984; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET \
VBA access";flags: A+; uricontent:"/scripts/samples/details.idc"; nocase; \
reference:bugtraq,286; reference:cve,CVE-1999-0874; classtype:attempted-recon; \
sid:985; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
MSProxy access";flags: A+; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; \
classtype:attempted-recon; sid:986; rev:1;)
***************
*** 30,38 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Unicode2.pl script \
(File permission canonicalization")"; uricontent:"/sensepost.exe"; flags: A+; nocase; \
classtype:attempted-recon; sid:989; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS _vti_inf access";flags: A+; \
uricontent:"_vti_inf.html"; nocase; classtype:attempted-recon; \
sid:990; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS achg.htr \
access";flags: A+; uricontent:"/iisadmpwd/achg.htr"; nocase;reference:bugtraq,2110; \
classtype:attempted-recon; sid:991; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS adctest.asp access";flags: A+; \
uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:attempted-recon; sid:992; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin \
access";flags: A+; uricontent:"/scripts/iisadmin"; nocase; classtype:attempted-admin; \
sid:993; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
admin-default access";flags: A+; uricontent:"/scripts/iisadmin/default.htm"; nocase; \
classtype:attempted-admin; sid:994; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin.dll \
access";flags: A+; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; \
nocase;reference:bugtraq,189; classtype:attempted-admin; sid:995; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS anot.htr access";flags: A+; \
uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; \
reference:cve,CAN-1999-0407; classtype:attempted-recon; sid:996; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS asp-dot attempt";flags: A+; \
uricontent:".asp."; nocase; classtype:attempted-recon; sid:997; \
rev:1;)
--- 30,38 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Unicode2.pl script \
(File permission canonicalization")"; uricontent:"/sensepost.exe"; flags: A+; nocase; \
classtype:attempted-recon; sid:989; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS _vti_inf access";flags: A+; \
uricontent:"_vti_inf.html"; nocase; classtype:attempted-recon; \
sid:990; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS achg.htr \
access";flags: A+; uricontent:"/iisadmpwd/achg.htr"; nocase; \
reference:cve,CVE-1999-0407; reference:bugtraq,2110; classtype:attempted-recon; \
sid:991; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
adctest.asp access";flags: A+; uricontent:"/msadc/samples/adctest.asp"; nocase; \
classtype:attempted-recon; sid:992; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS admin access";flags: A+; \
uricontent:"/scripts/iisadmin"; nocase; classtype:attempted-admin; sid:993; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin-default \
access";flags: A+; uricontent:"/scripts/iisadmin/default.htm"; nocase; \
classtype:attempted-admin; sid:994; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin.dll \
access";flags: A+; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; \
reference:cve,CVE-2000-0630; reference:bugtraq,189; classtype:attempted-admin; \
sid:995; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
anot.htr access";flags: A+; uricontent:"/iisadmpwd/anot"; nocase; \
reference:bugtraq,2110; reference:cve,CAN-1999-0407; classtype:attempted-recon; \
sid:996; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
asp-dot attempt";flags: A+; uricontent:".asp."; nocase; classtype:attempted-recon; \
sid:997; rev:1;)
***************
*** 40,44 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS bdir access";flags: \
A+; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; classtype:attempted-admin; \
sid:999; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
bdir.ht access"; uricontent:"/bdir.htr"; nocase; flags:A+; classtype:attempted-recon; \
sid:1000; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS carbo.dll \
access";flags: A+; content:".carbo.dll"; content:"icatcommand="; \
nocase;reference:bugtraq,2126; classtype:attempted-recon; sid:1001; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; \
content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd? acess";flags: A+; \
content:".cmd?&"; nocase; classtype:attempted-user; sid:1003; rev:1;)
--- 40,44 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS bdir access";flags: \
A+; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; classtype:attempted-admin; \
sid:999; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
bdir.ht access"; uricontent:"/bdir.htr"; nocase; flags:A+; classtype:attempted-recon; \
sid:1000; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS carbo.dll \
access";flags: A+; content:".carbo.dll"; content:"icatcommand="; nocase; \
reference:bugtraq,2126; classtype:attempted-recon; sid:1001; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; \
content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd? acess";flags: A+; \
content:".cmd?&"; nocase; classtype:attempted-user; sid:1003; rev:1;)
***************
*** 60,71 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS index server file \
sourcecode attempt"; flags: A+; content:"?CiWebHitsFile=/"; \
content:"&CiRestriction=none&CiHiliteType=Full"; classtype:attempted-recon; sid:1019; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS isc$data \
attempt";flags: A+; content:".idc|3a3a|$data"; nocase;reference:cve,CVE-1999-0874; \
classtype:attempted-recon; sid:1020; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ism.dll attempt"; \
flags: A+; content:"%20%20%20%20%20.htr"; nocase;reference:bugtraq,1193; \
classtype:attempted-recon; sid:1021; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS jet vba access";flags: A+; \
content:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; \
reference:cve,CVE-1999-0874; classtype:attempted-recon; sid:1022; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msadc/msadcs.dll \
access";flags: A+; uricontent:"/msadc/msadcs.dll"; nocase;reference:bugtraq,529; \
classtype:attempted-recon; sid:1023; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS newdsn.exe access";flags: A+; \
uricontent:"/scripts/tools/newdsn.exe"; \
nocase;reference:bugtraq,1818;reference:cve,CVE-1999-0191; classtype:attempted-recon; \
sid:1024; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS perl \
access";flags: A+; uricontent:"/scripts/perl"; nocase; classtype:attempted-recon; \
sid:1025; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
perl-browse0a attempt";flags: A+; content:"%0a.pl"; nocase; \
classtype:attempted-recon; sid:1026; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS perl-browse20 attempt";flags: A+; content:"%20.pl"; \
nocase; classtype:attempted-recon; sid:1027; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS query.asp \
access";flags: A+; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; \
classtype:attempted-recon; sid:1028; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS scripts-browse";flags: A+; uricontent:"/scripts/|20|"; \
nocase; classtype:attempted-recon; sid:1029; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS search97.vts";flags: A+; \
uricontent:"/search97.vts";reference:bugtraq,162; classtype:attempted-recon; \
sid:1030; rev:1;)
--- 60,71 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS index server file \
sourcecode attempt"; flags: A+; content:"?CiWebHitsFile=/"; \
content:"&CiRestriction=none&CiHiliteType=Full"; classtype:attempted-recon; sid:1019; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS isc$data \
attempt";flags: A+; content:".idc|3a3a|$data"; nocase;reference:cve,CVE-1999-0874; \
classtype:attempted-recon; sid:1020; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ism.dll attempt"; \
flags: A+; content:"%20%20%20%20%20.htr"; nocase; reference:cve,CAN-2000-0457; \
reference:bugtraq,1193; classtype:attempted-recon; sid:1021; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS jet vba access";flags: A+; \
content:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; \
reference:cve,CVE-1999-0874; classtype:attempted-recon; sid:1022; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msadc/msadcs.dll \
access";flags: A+; uricontent:"/msadc/msadcs.dll"; nocase; \
reference:cve,CVE-1999-1011; reference:bugtraq,529; classtype:attempted-recon; \
sid:1023; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
newdsn.exe access";flags: A+; uricontent:"/scripts/tools/newdsn.exe"; \
nocase;reference:bugtraq,1818;reference:cve,CVE-1999-0191; classtype:attempted-recon; \
sid:1024; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS perl \
access";flags: A+; uricontent:"/scripts/perl"; nocase; classtype:attempted-recon; \
sid:1025; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS \
perl-browse0a attempt";flags: A+; content:"%0a.pl"; nocase; \
classtype:attempted-recon; sid:1026; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-IIS perl-browse20 attempt";flags: A+; content:"%20.pl"; \
nocase; classtype:attempted-recon; sid:1027; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS query.asp \
access";flags: A+; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; \
reference:cve,CVE-1999-0449; classtype:attempted-recon; sid:1028; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts-browse";flags: A+; \
uricontent:"/scripts/|20|"; nocase; classtype:attempted-recon; sid:1029; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS search97.vts";flags: \
A+; uricontent:"/search97.vts";reference:bugtraq,162; classtype:attempted-recon; \
sid:1030; rev:1;)
Index: web-misc.rules
===================================================================
RCS file: /cvsroot/snort/snort/web-misc.rules,v
retrieving revision 1.15
retrieving revision 1.16
diff -C2 -r1.15 -r1.16
*** web-misc.rules 2001/07/24 21:21:12 1.15
--- web-misc.rules 2001/07/26 18:43:52 1.16
***************
*** 38,42 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC counter.exe \
access";flags: A+; uricontent:"/scripts/counter.exe"; nocase; reference:bugtraq,267; \
classtype:attempted-recon; sid:1078; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC webdav propfind access"; content:"<a\:propfind"; \
nocase; content:"xmlns\:a=\"DAV\">"; nocase; flags: A+; reference:cve, cve-2000-0869; \
classtype:attempted-user; sid:1079; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC unify eWave \
ServletExec upload"; content:"(com.unify.servletexec.UploadServlet"; nocase; \
flags:a+; classtype:attempted-user; sid:1080; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC netscape servers suite DOS"; flags: A+; \
uricontent:"/dsgw/bin/search?context="; nocase; classtype:attempted-dos; sid:1081; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC amazon \
1-click cookie theft"; flags: A+; content:"ref%3Cscript%20language%3D%22Javascript"; \
nocase; classtype:attempted-recon; sid:1082; rev:1;)
--- 38,42 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC counter.exe \
access";flags: A+; uricontent:"/scripts/counter.exe"; nocase; reference:bugtraq,267; \
classtype:attempted-recon; sid:1078; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC webdav propfind access"; content:"<a\:propfind"; \
nocase; content:"xmlns\:a=\"DAV\">"; nocase; flags: A+; reference:cve, cve-2000-0869; \
classtype:attempted-user; sid:1079; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC unify eWave \
ServletExec upload"; content:"(com.unify.servletexec.UploadServlet"; nocase; \
flags:a+; classtype:attempted-user; sid:1080; rev:2; reference:bugtraq,1868;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape servers suite DOS"; \
flags: A+; uricontent:"/dsgw/bin/search?context="; nocase; classtype:attempted-dos; \
sid:1081; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
amazon 1-click cookie theft"; flags: A+; \
content:"ref%3Cscript%20language%3D%22Javascript"; nocase; classtype:attempted-recon; \
sid:1082; rev:1;)
***************
*** 62,68 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape admin \
passwd"; flags: A+; uricontent:"/admin-serv/config/admpw"; \
nocase;reference:bugtraq,1579; classtype:attempted-recon; sid:1103; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC BigBrother access"; flags: \
A+; uricontent:"/bb-hostsvc.sh?HOSTSVC"; nocase; classtype:attempted-recon; sid:1105; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Poll-it access"; \
flags: A+; uricontent:"/pollit/Poll_It_SSI_v2.0.cgi"; nocase;reference:bugtraq,1431; \
classtype:attempted-recon; sid:1106; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC ftp.pl access"; flags: A+; uricontent:"/ftp.pl"; \
nocase;reference:bugtraq,1471; classtype:attempted-recon; sid:1107; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC tomcat server snoop \
access"; flags: A+; uricontent:"/jsp/snp/anything.snp"; nocase; \
reference:bugtraq,1532; classtype:attempted-recon; sid:1108; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC ROXEN directory list attempt"; \
flags: A+; content:"|2F 25 30 30 2F|"; nocase;reference:bugtraq,1510; \
reference:cve,CVE-2000-0671; classtype:attempted-recon; sid:1109; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC apache source.asp file access"; \
flags: A+; uricontent:"/site/eg/source.asp"; nocase;reference:bugtraq,1457; \
reference:cve, CVE-2000-0628; classtype:attempted-recon; sid:1110; \
rev:1;)
--- 62,68 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape admin \
passwd"; flags: A+; uricontent:"/admin-serv/config/admpw"; \
nocase;reference:bugtraq,1579; classtype:attempted-recon; sid:1103; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC BigBrother access"; flags: \
A+; uricontent:"/bb-hostsvc.sh?HOSTSVC"; nocase; classtype:attempted-recon; sid:1105; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Poll-it access"; \
flags: A+; uricontent:"/pollit/Poll_It_SSI_v2.0.cgi"; nocase; \
reference:cve,CAN-2000-0590; reference:bugtraq,1431; classtype:attempted-recon; \
sid:1106; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
ftp.pl access"; flags: A+; uricontent:"/ftp.pl"; nocase;reference:bugtraq,1471; \
classtype:attempted-recon; sid:1107; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC tomcat server snoop \
access"; flags: A+; uricontent:"/jsp/snp/anything.snp"; nocase; \
reference:cve,CAN-2000-0760; reference:bugtraq,1532; classtype:attempted-recon; \
sid:1108; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
ROXEN directory list attempt"; flags: A+; content:"|2F 25 30 30 2F|"; \
nocase;reference:bugtraq,1510; reference:cve,CVE-2000-0671; \
classtype:attempted-recon; sid:1109; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC apache source.asp file access"; flags: A+; \
uricontent:"/site/eg/source.asp"; nocase;reference:bugtraq,1457; reference:cve, \
CVE-2000-0628; classtype:attempted-recon; sid:1110; rev:1;)
***************
*** 79,87 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat \
access";flags: A+; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; \
sid:1121; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
/etc/passwd";flags: A+; content:"/etc/passwd"; nocase; classtype:attempted-recon; \
sid:1122; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC PageService \
access";flags: A+; content:"?PageServices"; nocase; reference:cve,CVE-1999-0269; \
classtype:attempted-recon; sid:1123; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC Ecommerce check.txt access";flags: A+; \
uricontent:"/config/check.txt"; nocase; classtype:attempted-recon; sid:1124; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webcart access";flags: \
A+; uricontent:"/webcart/"; nocase; classtype:attempted-recon; sid:1125; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC AuthChangeUr \
access";flags: A+; content:"_AuthChangeUrl?"; nocase; classtype:attempted-recon; \
sid:1126; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC convert.bas \
access";flags: A+; uricontent:"/scripts/convert.bas"; nocase; \
reference:cve,CVE-1999-0175; classtype:attempted-recon; sid:1127; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC cpshost.dll access";flags: A+; \
uricontent:"/scripts/cpshost.dll"; nocase; classtype:attempted-recon; sid:1128; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC .htaccess \
access";flags: A+; content:".htaccess"; nocase; classtype:attempted-recon; sid:1129; \
rev:1;)
--- 79,87 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat \
access";flags: A+; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; \
sid:1121; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
/etc/passwd";flags: A+; content:"/etc/passwd"; nocase; classtype:attempted-recon; \
sid:1122; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC PageService \
access";flags: A+; content:"?PageServices"; nocase; reference:bugtraq,1063; \
reference:cve,CVE-1999-0269; classtype:attempted-recon; sid:1123; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Ecommerce check.txt \
access";flags: A+; uricontent:"/config/check.txt"; nocase; classtype:attempted-recon; \
sid:1124; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
webcart access";flags: A+; uricontent:"/webcart/"; nocase; classtype:attempted-recon; \
sid:1125; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
AuthChangeUr access";flags: A+; content:"_AuthChangeUrl?"; nocase; \
classtype:attempted-recon; sid:1126; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC convert.bas \
access";flags: A+; uricontent:"/scripts/convert.bas"; nocase; reference:bugtraq,2025; \
reference:cve,CVE-1999-0175; classtype:attempted-recon; sid:1127; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC cpshost.dll access";flags: A+; \
uricontent:"/scripts/cpshost.dll"; nocase; classtype:attempted-recon; sid:1128; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC .htaccess \
access";flags: A+; content:".htaccess"; nocase; classtype:attempted-recon; sid:1129; \
rev:1;)
***************
*** 91,95 ****
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; content: \
"AAAAAAAAAAAAAAAA"; flags: SFP; ack: 0; depth: 16;reference:arachnids,145; \
classtype:attempted-recon; sid:1133; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC Phorum admin access"; flags: A+; \
uricontent:"/admin.php3"; nocase; reference:arachnids,205; classtype:attempted-recon; \
sid:1134; rev:1;)
- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly \
win-c-sample.exe access";flags: A+; uricontent:"/cgi-shl/win-c-sample.exe"; \
nocase;reference:cve,CVE-1999-0178; classtype:attempted-recon; sid:1135; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC cd..";flags: A+; \
content:"cd.."; nocase; classtype:attempted-recon; sid:1136; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Phorum auth access"; flags: A+; \
content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; \
classtype:attempted-recon; sid:1137; rev:1;)
--- 91,94 ----
***************
*** 102,108 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC /~root";flags: A+; \
content:"/~root"; nocase; classtype:attempted-recon; sid:1145; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Ecommerce import.txt \
access";flags: A+; uricontent:"/config/import.txt"; nocase; \
classtype:attempted-recon; sid:1146; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC cat%20 \
access";flags: A+; content:"/cat%20"; nocase; reference:bugtraq,374; \
classtype:attempted-recon; sid:1147; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC Ecommerce import.txt access";flags: A+; \
uricontent:"/orders/import.txt"; nocase; classtype:attempted-recon; \
sid:1148; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC count.cgi \
access";flags: A+; uricontent:"/count.cgi"; nocase; reference:cve,CVE-1999-0021; \
classtype:attempted-recon; sid:1149; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC Domino catalog.ns access";flags: A+; \
uricontent:"/catalog.nsf"; nocase; classtype:attempted-recon; sid:1150; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Domino domcfg.nsf \
access";flags: A+; uricontent:"/domcfg.nsf"; nocase; classtype:attempted-recon; \
sid:1151; rev:1;)
--- 101,107 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC /~root";flags: A+; \
content:"/~root"; nocase; classtype:attempted-recon; sid:1145; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Ecommerce import.txt \
access";flags: A+; uricontent:"/config/import.txt"; nocase; \
classtype:attempted-recon; sid:1146; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC cat%20 \
access";flags: A+; content:"cat%20"; nocase; reference:cve,CVE-1999-0039; \
reference:bugtraq,374; classtype:attempted-recon; sid:1147; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Ecommerce import.txt \
access";flags: A+; uricontent:"/orders/import.txt"; nocase; \
classtype:attempted-recon; sid:1148; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC count.cgi \
access";flags: A+; uricontent:"/count.cgi"; nocase; reference:bugtraq,550; \
reference:cve,CVE-1999-0021; classtype:attempted-recon; sid:1149; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Domino catalog.ns access";flags: \
A+; uricontent:"/catalog.nsf"; nocase; classtype:attempted-recon; sid:1150; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Domino domcfg.nsf \
access";flags: A+; uricontent:"/domcfg.nsf"; nocase; classtype:attempted-recon; \
sid:1151; rev:1;)
***************
*** 113,122 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC apache DOS \
attempt";flags: A+; content:"|2f2f2f2f2f2f2f2f|"; classtype:attempted-dos; sid:1156; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape \
PublishingXpert 2 Exploit"; flags: A+; uricontent:"/PSUser/PSCOErrPage.htm?"; nocase; \
classtype:attempted-recon; sid:1157; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC windmail.exe \
access"; flags:A+; uricontent:"/windmail.exe?-n"; content:"mail"; nocase; \
reference:cve,CAN-2000-0242; reference:bugtraq,1073; classtype:attempted-recon; \
sid:1158; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
webplus access"; content:"webplus?script"; nocase; flags:A+; \
classtype:attempted-recon; sid:1159; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC netscape dir index wp"; flags: A+; content: "?wp-"; \
nocase; reference:arachnids,270; classtype:attempted-recon; sid:1160; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC piranha passwd.php3 access"; \
flags: A+; uricontent: "/passwd.php3"; reference:arachnids,272; \
classtype:attempted-recon; sid:1161; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC cart 32 AdminPwd access"; flags: A+; \
uricontent:"/c32web.exe/ChangeAdminPassword"; nocase;reference:bugtraq,1153; \
classtype:attempted-recon; sid:1162; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdist.cgi access"; \
uricontent:"/webdist.cgi"; nocase; flags: A+; reference:cve,CVE-1999-0039; \
classtype:attempted-recon; sid:1163; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC shopping cart access access"; \
uricontent:"/quikstore.cfg"; nocase; flags: A+; classtype:attempted-recon; sid:1164; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC novell \
groupwise gwweb.exe access"; flags: A+; content:"/GWWEB.EXE?HELP="; nocase; \
reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; \
sid:1165; rev:1;)
--- 112,121 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC apache DOS \
attempt";flags: A+; content:"|2f2f2f2f2f2f2f2f|"; classtype:attempted-dos; sid:1156; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape \
PublishingXpert 2 Exploit"; flags: A+; uricontent:"/PSUser/PSCOErrPage.htm?"; nocase; \
classtype:attempted-recon; sid:1157; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC windmail access"; \
flags:A+; uricontent:"/windmail.exe"; nocase; content:"-n"; content:"mail"; nocase; \
reference:cve,CAN-2000-0242; reference:bugtraq,1073; reference:arachnids,465; \
classtype:attempted-recon; sid:1158; rev:2;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC webplus access"; content:"webplus?script"; nocase; \
flags:A+; classtype:attempted-recon; sid:1159; rev:1;) alert tcp $EXTERNAL_NET any \
-> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape dir index wp"; flags: A+; content: \
"?wp-"; nocase; reference:arachnids,270; classtype:attempted-recon; sid:1160; rev:1;) \
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC piranha passwd.php3 \
access"; flags: A+; uricontent: "/passwd.php3"; reference:arachnids,272; \
classtype:attempted-recon; sid:1161; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC cart 32 AdminPwd access"; flags: A+; \
uricontent:"/c32web.exe/ChangeAdminPassword"; nocase;reference:bugtraq,1153; \
classtype:attempted-recon; sid:1162; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdist.cgi access"; \
uricontent:"/webdist.cgi"; nocase; flags: A+; reference:bugtraq,374; \
reference:cve,CVE-1999-0039; classtype:attempted-recon; sid:1163; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC shopping cart access access"; \
uricontent:"/quikstore.cfg"; nocase; flags: A+; classtype:attempted-recon; sid:1164; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC novell \
groupwise gwweb.exe access"; flags: A+; content:"/GWWEB.EXE?HELP="; nocase; \
reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; \
sid:1165; rev:1;)
***************
*** 127,131 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC bigconf.cgi access"; \
uricontent:"/bigconf.cgi"; nocase; flags: A+; classtype:attempted-recon; sid:1172; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
architext_query.pl access"; uricontent:"/ews/architext_query.pl"; nocase; flags: A+; \
classtype:attempted-recon; sid:1173; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC /cgi-bin/jj \
attempt"; uricontent:"/cgi-bin/jj"; nocase; flags: A+; reference:cve,CVE-1999-0260; \
classtype:attempted-recon; sid:1174; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC wwwboard.pl access"; uricontent:"/wwwboard.pl"; \
nocase; flags: A+; reference:cve,CVE-1999-0953; classtype:attempted-recon; sid:1175; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC order.log \
access"; uricontent:"/admin_files/order.log"; nocase; flags: A+; \
classtype:attempted-recon; sid:1176; rev:1;)
--- 126,130 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC bigconf.cgi access"; \
uricontent:"/bigconf.cgi"; nocase; flags: A+; classtype:attempted-recon; sid:1172; \
rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
architext_query.pl access"; uricontent:"/ews/architext_query.pl"; nocase; flags: A+; \
classtype:attempted-recon; sid:1173; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC /cgi-bin/jj \
attempt"; uricontent:"/cgi-bin/jj"; nocase; flags: A+; reference:bugtraq,2002; \
reference:cve,CVE-1999-0260; classtype:attempted-recon; sid:1174; rev:2;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC wwwboard.pl access"; \
uricontent:"/wwwboard.pl"; nocase; flags: A+; reference:cve,CVE-1999-0953; \
classtype:attempted-recon; sid:1175; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC order.log access"; \
uricontent:"/admin_files/order.log"; nocase; flags: A+; classtype:attempted-recon; \
sid:1176; rev:1;)
***************
*** 138,142 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape enterprise \
server directory view"; flags: A+; \
content:"?wp-cs-dump";nocase;reference:bugtraq,1063; classtype:attempted-recon; \
sid:1183; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
netscape enterprise server directory view"; flags: A+; \
content:"?wp-ver-info";nocase;reference:bugtraq,1063; classtype:attempted-recon; \
sid:1184; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC bizdbsearch access"; \
flags: A+; uricontent:"/bizdb1-search.cgi"; content:"mail"; \
nocase;reference:bugtraq,1104; classtype:attempted-recon; sid:1185; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape enterprise server \
directory view"; flags: A+; content:"?wp-ver-diff";nocase;reference:bugtraq,1063; \
classtype:attempted-recon; sid:1186; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC SalesLogix Eviewer web shutdown acess"; flags: A+; \
content:"/slxweb.dll/admin?command="; nocase; reference:bugtraq,1089; \
reference:cve,CAN-2000-0289; classtype:attempted-recon; sid:1187; \
rev:1;)
--- 137,141 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC netscape enterprise \
server directory view"; flags: A+; \
content:"?wp-cs-dump";nocase;reference:bugtraq,1063; classtype:attempted-recon; \
sid:1183; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
netscape enterprise server directory view"; flags: A+; \
content:"?wp-ver-info";nocase;reference:bugtraq,1063; classtype:attempted-recon; \
sid:1184; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC bizdbsearch access"; \
flags: A+; uricontent:"/bizdb1-search.cgi"; content:"mail"; nocase; \
reference:cve,CAN-2000-0287; reference:bugtraq,1104; classtype:attempted-recon; \
sid:1185; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
netscape enterprise server directory view"; flags: A+; \
content:"?wp-ver-diff";nocase;reference:bugtraq,1063; classtype:attempted-recon; \
sid:1186; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
SalesLogix Eviewer web shutdown acess"; flags: A+; \
content:"/slxweb.dll/admin?command="; nocase; reference:bugtraq,1089; \
reference:cve,CAN-2000-0289; classtype:attempted-recon; sid:1187; \
rev:1;)
***************
*** 147,153 ****
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Trend Micro \
OfficeScan access"; flags: A+; uricontent:"/officescan/cgi/jdkRqNotify.exe?"; nocase; \
reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC oracle web listener batch \
access"; flags: A+; uricontent:"/ows-bin/&"; nocase; reference:cve,CVE-2000-0169; \
reference:bugtraq,1053; classtype:attempted-recon; sid:1193; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Sojourn File \
attempt"; flags: A+; uricontent:"/sojourn.cgi?cat="; content:"%00"; \
nocase;reference:bugtraq,1052; classtype:attempted-user; sid:1194; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Sojourn access"; \
flags: A+; uricontent:"/sojourn.cgi"; nocase; reference:bugtraq,1052; \
classtype:attempted-recon; sid:1195; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC SGI InfoSearch fname \
access"; flags: A+; uricontent:"/infosrch.cgi?"; content:"fname="; \
nocase;reference:bugtraq,1031; classtype:attempted-recon; sid:1196; rev:1;) alert \
tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Phorum code access"; flags: \
A+; uricontent:"/code.php3"; nocase; reference:arachnids,207; \
classtype:attempted-recon; sid:1197; rev:1;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC netscape enterprise server directory view"; flags: \
A+; content:"?wp-usr-prop";nocase;reference:bugtraq,1063; classtype:attempted-recon; \
sid:1198; rev:1;)
--- 146,152 ----
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Trend Micro \
OfficeScan access"; flags: A+; uricontent:"/officescan/cgi/jdkRqNotify.exe?"; nocase; \
reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:1;) alert tcp \
$EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC oracle web listener batch \
access"; flags: A+; uricontent:"/ows-bin/&"; nocase; reference:cve,CVE-2000-0169; \
reference:bugtraq,1053; classtype:attempted-recon; sid:1193; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Sojourn File \
attempt"; flags: A+; uricontent:"/sojourn.cgi?cat="; content:"%00"; \
nocase;reference:bugtraq,1052; reference:cve,CAN-2000-0180; classtype:attempted-user; \
sid:1194; rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Sojourn access"; \
flags: A+; uricontent:"/sojourn.cgi"; nocase; reference:bugtraq,1052; \
reference:cve,CAN-2000-0180; classtype:attempted-recon; sid:1195; \
rev:1;)
! alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC SGI InfoSearch fname \
access"; flags: A+; uricontent:"/infosrch.cgi?"; content:"fname="; \
nocase;reference:bugtraq,1031; reference:arachnids,290; reference:cve,CVE-2000-0207; \
classtype:attempted-recon; sid:1196; rev:2;) alert tcp $EXTERNAL_NET any -> \
$HTTP_SERVERS 80 (msg:"WEB-MISC Phorum code access"; flags: A+; \
uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; \
sid:1197; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC \
netscape enterprise server directory view"; flags: A+; \
content:"?wp-usr-prop";nocase;reference:bugtraq,1063; classtype:attempted-recon; \
sid:1198; rev:1;)
_______________________________________________
Snort-cvsinfo mailing list
Snort-cvsinfo@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-cvsinfo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic