[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Some sigs from the peanut gallery...
From:       Erik Fichtner <emf () servervault ! com>
Date:       2000-10-09 19:46:41
[Download RAW message or body]

# You know you're owned when you see:
alert tcp $HOME_NET any -> any any (msg: "MISC - id check returned root"; content: \
"uid=0(root)";)

# sometimes handy for spotting web kiddies..
alert tcp $HOME_NET any -> !$HOME_NET any (msg:"WEB - 403 Forbidden";flags:PA; \
content:"HTTP/1.1 403";)

# Just spotted this one on bugtraq this morning...
alert tcp any any -> $HOME_NET 80 (msg:"WEB - WebStore Directory Traversal"; \
content:"web_store.cgi?page=../..";)





And a minor complaint..  the signature:
alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP - Exploitable proftpd 1.2 server \
running"; content:"proftpd 1.2"; nocase;)

should really be matching "proftpd 1.2.0pre" not "proftpd 1.2".  rc2 is okay! 
(for now, anyway)



-- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900


[prev in list] [next in list] [prev in thread] [next in thread]