Snort mailing list archives
Re: WEB-ATTACKS id command attempt
From: "Piotr Bulczak" <piotr.bulczak () pl abb com>
Date: Mon, 15 Apr 2002 22:41:55 +0200
Erek Adams <erek () theadamsfamily net> wrote:
On Mon, 15 Apr 2002, John-Magne Bredal wrote:I get an awful lot of these alarms on the network I am monitoring. Does anyone know what this alert actually tells me (there are no reference
in
ACID which I am using), and perhaps a reason why there are so many
alerts?
They come from a relatively little amount of boxes, but those boxes are spamming madly though. Anyone that can inform me :)Take a look at the actual packet payload and see what's going on. From
the
way the rule looks: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS id
command
attempt"; flags:A+; content:"\;id";nocase; sid:1333; rev:1; classtype:web-application-attack;)
[...] I also get these false alerts (I looked at the payload) frequently and several others similar from web-attack.rules file: "netcat command", "rm command", etc. What kind of attacks are they, any reference? Is it good idea to use uricontent instead of content? Regards, Piotr _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-ATTACKS id command attempt John-Magne Bredal (Apr 15)
- Re: WEB-ATTACKS id command attempt Erek Adams (Apr 15)
- <Possible follow-ups>
- RE: WEB-ATTACKS id command attempt Gray . Brendan (Apr 15)
- Re: WEB-ATTACKS id command attempt Phil Wood (Apr 15)
- Re: WEB-ATTACKS id command attempt Piotr Bulczak (Apr 15)