WEB-ATTACKS mail command attempt

["Ricardo Pires" <pires-ricardo () uol com br>]

Hello all,

I was wondering about the "WEB-ATTACKS mail command attempt " rule.
I think we could prevent false positives in this case. The rule search for
the mail string followed by a space.
But as I could understand, this attack will only work if the attacker put
the entire path of the mail bin.

So, we might use the rule like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS
mail command attempt"; flow:to_server,established;
content:"/bin/mail%20";nocase; sid:1367; classtype:web-application-attack;
rev:4;)

instead if this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS
mail command attempt"; flow:to_server,established; content:"mail%20";nocase;
sid:1367; classtype:web-application-attack; rev:4;)

I was looking at the log files and I'm having this false positives. The
packet is pointing to somewhere in the web page that says something like
"send mail to..."
Do you think puting the whole path could prevent this false positive ?

Thanks
Ricardo Pires



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users