Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: web-cgi.rule: sid:885

From: "Andrew Y. Glass" <ayglass () io com>
Date: Wed, 17 Jul 2002 11:04:48 -0400 (EDT)

Hey Phil,

        Ok, I have two guesses...
1) It's 295 characters long (on TIS toolkit that would kill it right there)
2) It has a stutter in the classtype.
        Am I getting warm? ;-)


                                Andy Glass


Message: 1
Date: Tue, 16 Jul 2002 18:20:24 -0600
From: Phil Wood <cpw () lanl gov>
To: snort-users () lists sourceforge net
Subject: [Snort-users] web-cgi.rule: sid:885


Folks,

Guess what's wrong with this rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access";flags:A+; uricontent:"/bash"; 
nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; 
classtype:web-application-activity; classtype:web-application-activity; sid:885;  rev:5;)

Later,

Phil


--__--__--





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: