Re: WEB-MISC backup access

[yew chuan Ong <yewchuan_23 () yahoo com>]

Thanks Joel. =)


________________________________
 From: Joel Esler <jesler () sourcefire com>
To: yew chuan Ong <yewchuan_23 () yahoo com> 
Cc: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> 
Sent: Monday, August 20, 2012 9:38 PM
Subject: Re: [Snort-sigs] WEB-MISC backup access
 

On Aug 20, 2012, at 2:51 AM, yew chuan Ong <yewchuan_23 () yahoo com> wrote:

Appreciate if anyone would like to share the intention of this sig - WEB-MISC backup access. The keyword is pretty 
weak, and it is disable by default.
> # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; 
> content:"/backup"; nocase; http_uri; classtype:attempted-recon; sid:1213; rev:9;)

It looks for a simple access to the URI /backup on any of your webservers.  This is a generic sig, and, as you 
mentioned, is not on in the default policy.  (It's actually not in any policies).

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!