WEB-CGI phf access - SID 886

[Guise McAllaster <guise.mcallaster () gmail com>]

Here is another ancient rule that has some false positive:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
access"; flow:to_server,established; uricontent:"/phf"; nocase;
metadata:service http; reference:arachnids,128; reference:bugtraq,629;
reference:cve,1999-0067; classtype:web-application-activity; sid:886;
rev:12;)

If people still care about this vuln, could we change it to be more robust?
I see it false positive on things like 'GET /foo/bar/PHFDD_user.js'.

Maybe something like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
access"; flow:to_server,established; uricontent:"/phf"; nocase; nocase;
pcre:"/\/phf\/?\?/Ui"; metadata:service http; reference:arachnids,128;
reference:bugtraq,629; reference:cve,1999-0067;
classtype:web-application-activity; sid:886; rev:13;)

Similar simple file access rules could probably be modified in a similar
manner (although I have not looked).

If people don't care about the rule, maybe we could prune it out along with
all exploit specific rules that are over 10 years old.

Thanks.

Guise

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs