Snort mailing list archives
WEB-CGI phf access - SID 886
From: Guise McAllaster <guise.mcallaster () gmail com>
Date: Tue, 29 Dec 2009 21:25:44 +0000
Here is another ancient rule that has some false positive: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; metadata:service http; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:12;) If people still care about this vuln, could we change it to be more robust? I see it false positive on things like 'GET /foo/bar/PHFDD_user.js'. Maybe something like this: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; nocase; pcre:"/\/phf\/?\?/Ui"; metadata:service http; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:13;) Similar simple file access rules could probably be modified in a similar manner (although I have not looked). If people don't care about the rule, maybe we could prune it out along with all exploit specific rules that are over 10 years old. Thanks. Guise
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- WEB-CGI phf access - SID 886 Guise McAllaster (Dec 29)
- Re: WEB-CGI phf access - SID 886 Matt Olney (Dec 29)
- Re: WEB-CGI phf access - SID 886 JJ Cummings (Dec 29)
- Re: WEB-CGI phf access - SID 886 Matt Olney (Dec 29)