Snort mailing list archives
WEB-ATTACKS mail command attempt
From: "Ricardo Pires" <pires-ricardo () uol com br>
Date: Thu, 4 Sep 2003 18:17:44 -0300
Hello all, I was wondering about the "WEB-ATTACKS mail command attempt " rule. I think we could prevent false positives in this case. The rule search for the mail string followed by a space. But as I could understand, this attack will only work if the attacker put the entire path of the mail bin. So, we might use the rule like this: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail%20";nocase; sid:1367; classtype:web-application-attack; rev:4;) instead if this: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20";nocase; sid:1367; classtype:web-application-attack; rev:4;) I was looking at the log files and I'm having this false positives. The packet is pointing to somewhere in the web page that says something like "send mail to..." Do you think puting the whole path could prevent this false positive ? Thanks Ricardo Pires ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-ATTACKS mail command attempt Ricardo Pires (Sep 04)
- Re: WEB-ATTACKS mail command attempt Erek Adams (Sep 04)