Re: WEB-ATTACKS id command attempt

["Piotr Bulczak" <piotr.bulczak () pl abb com>]

Erek Adams <erek () theadamsfamily net> wrote:
> On Mon, 15 Apr 2002, John-Magne Bredal wrote:
>
> > I get an awful lot of these alarms on the network I am monitoring. Does
> > anyone know what this alert actually tells me (there are no reference
in
> > ACID which I am using), and perhaps a reason why there are so many
alerts?
> > They come from a relatively little amount of boxes, but those boxes are
> > spamming madly though.
> >
> > Anyone that can inform me :)
>
> Take a look at the actual packet payload and see what's going on.  From
the
> way the rule looks:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS id
command
> attempt"; flags:A+; content:"\;id";nocase; sid:1333; rev:1;
> classtype:web-application-attack;)
[...]

I also get these false alerts (I looked at the payload) frequently and
several others similar from web-attack.rules file: "netcat command", "rm
command", etc. What kind of attacks are they, any reference? Is it good
idea to use uricontent instead of content?

Regards,
Piotr



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users