Snort mailing list archives
Re: Metasploit - CVE-2012-1823 - Snort Sleeping
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 26 Apr 2013 15:12:12 -0600
On 2013-04-26 15:03, Alex McDonnell wrote:
Alerts for me, please attach your configuration as Nathan asked. Alex McDonnell
Doesn't fire for me...here's what I put for variables: ipvar HOME_NET 192.168.0.0/24 ipvar EXTERNAL_NET any ipvar DNS_SERVERS 192.168.0.0/24 ipvar SMTP_SERVERS 192.168.0.0/24 ipvar HTTP_SERVERS 192.168.0.0/24 ipvar SQL_SERVERS 192.168.0.0/24 ipvar TELNET_SERVERS 192.168.0.0/24 ipvar SSH_SERVERS 192.168.0.0/24 ipvar FTP_SERVERS 192.168.0.0/24 ipvar SIP_SERVERS 192.168.0.0/24 All three of those are enabled: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; content:"auto_prepend_file"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22063; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; flow:to_server,established; content:".php?"; http_uri; content:"-s"; nocase; http_uri; content:!"="; http_raw_uri; pcre:"/\x2ephp\x3f\s*-s/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22064; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; flow:to_server,established; content:"-s"; http_uri; content:!"="; http_raw_uri; pcre:"/\x3F\s*?-s/Ui"; metadata:service http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22097; rev:5;) ran with -k none as well. James ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping lists () packetmail net (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping lists () packetmail net (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping Alex McDonnell (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
- [SPAM] Re: Metasploit - CVE-2012-1823 - Snort Sleeping rmkml (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
- <Possible follow-ups>
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
- Message not available
- FW: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 29)
- Message not available