Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Odd alert on /bin/chmod rule

From: GJ Philput <gjphilput () yahoo com>
Date: Mon, 23 Feb 2004 11:18:34 -0800 (PST)
Hello,
I am hoping that someone can shed some light on an
unusual capture that I got from the WEB-ATTACKS chmod
command attempt rule in Snort 2.1.  According to the
rule, this rule should only alert if it finds
/bin/chmod/ in the packet.  I have gotten several
alerts on this rule that are just SYN packets and
don't contain a payload, let alone /bin/chmod/.  Does
anyone know why this might be happening?  I have
included the rule, and the Alert below.  Sensitive
information has been changed to protect the guilty.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt";
flow:to_server,established;
content:"/bin/chmod";nocase; sid:1336;
classtype:web-application-attack; rev:4;)


Generated by ACID x.x.x on Mon, 23 Feb 2004 13:23:13
-0500------------------------------------------------------------------------------#(4
- 19383) [2004-02-22 04:12:17] [snort/1336] 
WEB-ATTACKS chmod command attemptIPv4: xxx.xxx.xxx.xxx
-> xxx.xxx.xxx.xxx      
hlen=5 
TOS=0 
dlen=48 
ID=19428 
flags=0 
offset=0 
TTL=113 
chksum=44886TCP:  
port=2434 -> dport: 1080  
flags=******S* 
seq=3183296326      
ack=0 
off=7 
res=0 
win=64240 
urp=0 
chksum=28387      
Options:       #1 - MSS len=2 data=05B4       
               #2 - NOP len=0       
               #3 - NOP len=0
               #4 - SACKOK len=0
Payload: none

James

__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: