Snort mailing list archives

Fwd: Re: Cisco HTTP Admin IOS attack signature

From: Dragos Ruiu <dr () dursec com>
Date: Fri, 29 Jun 2001 20:23:09 -0700

And since I'm replying to my own mail and thinking outloud the trailing "/exec"
check is wholly redundant and only slows snort down because if you've
seen the level tag before somethings no good for sure , so remove that last
check to get:

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*1[6-9]";  nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:3;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*[2-9][0-9]"; nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100001; rev:3;) 

cheers,
--dr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- <Possible follow-ups>
- Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- Fwd: Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)