Snort mailing list archives
Re: WEB-ATTACKS mail command attempt
From: Erek Adams <erek () snort org>
Date: Fri, 5 Sep 2003 01:04:33 -0400 (EDT)
On Thu, 4 Sep 2003, Ricardo Pires wrote: [...snip...]
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail%20";nocase; sid:1367; classtype:web-application-attack; rev:4;) instead if this: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20";nocase; sid:1367; classtype:web-application-attack; rev:4;) I was looking at the log files and I'm having this false positives. The packet is pointing to somewhere in the web page that says something like "send mail to..." Do you think puting the whole path could prevent this false positive ?
What if the attacker used a relative path? "../../../../../usr/bin/mail " Or "./mail "? Or if it was just along the path "mail "? There's a good and bad side to everything. :) You might want to consider adding an exculude for the servers that are causing the falsies. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-ATTACKS mail command attempt Ricardo Pires (Sep 04)
- Re: WEB-ATTACKS mail command attempt Erek Adams (Sep 04)