Snort mailing list archives
Re: possible exploit
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 15 Feb 2006 09:59:23 -0600
On Wed, 2006-02-15 at 02:08 -0600, Robert T Wyatt wrote:
It's possible that I wasn't logging at the moment this hit, but it did not show up in my snort log and so I believe it was missed. I don't know what it was after, but it doesn't look friendly to me. 60.10.38.189 - - [14/Feb/2006:22:20:03 -0600] "GET /level/16/exec/-///pwd HTTP/1.0" 404 346 "-" "-"
Your Snort didn't alert on that? Mine do all the time. It's SID 1250 (web-misc.rules). You might want to check your config to see if this rule file is loaded and to ensure you don't miss other sigs too. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- possible exploit Robert T Wyatt (Feb 15)
- RE: possible exploit Patrick S. Harper (Feb 15)
- Re: possible exploit Frank Knobbe (Feb 15)
- Re: possible exploit Robert T Wyatt (Feb 15)
- Re: possible exploit Robert T Wyatt (Feb 16)
- Re: possible exploit Robert T Wyatt (Feb 15)