Snort mailing list archives
RE: Where do these rules come from?
From: Steve Halligan <agent33 () geeksquad com>
Date: Thu, 16 Aug 2001 15:38:23 -0500
The rules are there because there are kiddie tools which will scan a webserver for hundreds of commonly found known exploitable cgi programs, and if we didn't rules to detect them, then we'd never know we were being scanned. -WesI understand that. But what exploitable cgi program is this rule for, for example. Shouldn't that info be in the rule?
I found the answer for this rule, but there are many more like it in web-cgi.rules. I know I know I should go fix it. I'll shut up now :) a scan for /calendar is probably looking for CVE-2000-0432. The perl script /cgi-bin/calendar_admin.pl and a bunch of exploits...etc...etc. -Steve _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Where do these rules come from? Steve Halligan (Aug 16)
- Re: Where do these rules come from? Wesley Eddy (Aug 16)
- <Possible follow-ups>
- RE: Where do these rules come from? Steve Halligan (Aug 16)
- RE: Where do these rules come from? Steve Halligan (Aug 16)