[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] Some sigs from the peanut gallery...
From: Erik Fichtner <emf () servervault ! com>
Date: 2000-10-09 19:46:41
[Download RAW message or body]
# You know you're owned when you see:
alert tcp $HOME_NET any -> any any (msg: "MISC - id check returned root"; content: \
"uid=0(root)";)
# sometimes handy for spotting web kiddies..
alert tcp $HOME_NET any -> !$HOME_NET any (msg:"WEB - 403 Forbidden";flags:PA; \
content:"HTTP/1.1 403";)
# Just spotted this one on bugtraq this morning...
alert tcp any any -> $HOME_NET 80 (msg:"WEB - WebStore Directory Traversal"; \
content:"web_store.cgi?page=../..";)
And a minor complaint.. the signature:
alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP - Exploitable proftpd 1.2 server \
running"; content:"proftpd 1.2"; nocase;)
should really be matching "proftpd 1.2.0pre" not "proftpd 1.2". rc2 is okay!
(for now, anyway)
--
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic