Snort mailing list archives

Re: Metasploit - CVE-2012-1823 - Snort Sleeping

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 26 Apr 2013 15:12:12 -0600

On 2013-04-26 15:03, Alex McDonnell wrote:

Alerts for me, please attach your configuration as Nathan asked.

Alex McDonnell


Doesn't fire for me...here's what I put for variables:

ipvar HOME_NET 192.168.0.0/24
ipvar EXTERNAL_NET any
ipvar DNS_SERVERS 192.168.0.0/24
ipvar SMTP_SERVERS 192.168.0.0/24
ipvar HTTP_SERVERS 192.168.0.0/24
ipvar SQL_SERVERS 192.168.0.0/24
ipvar TELNET_SERVERS 192.168.0.0/24
ipvar SSH_SERVERS 192.168.0.0/24
ipvar FTP_SERVERS 192.168.0.0/24
ipvar SIP_SERVERS 192.168.0.0/24

All three of those are enabled:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; 
flow:to_server,established; content:"auto_prepend_file"; http_uri; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; reference:cve,2012-1823; reference:cve,2012-2311; 
classtype:attempted-admin; sid:22063; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; 
flow:to_server,established; content:".php?"; http_uri; content:"-s"; 
nocase; http_uri; content:!"="; http_raw_uri; 
pcre:"/\x2ephp\x3f\s*-s/Ui"; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; reference:cve,2012-1823; 
reference:cve,2012-2311; classtype:attempted-admin; sid:22064; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; 
flow:to_server,established; content:"-s"; http_uri; content:!"="; 
http_raw_uri; pcre:"/\x3F\s*?-s/Ui"; metadata:service http; 
reference:cve,2012-1823; reference:cve,2012-2311; 
classtype:attempted-admin; sid:22097; rev:5;)


ran with -k none as well.

James


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping lists () packetmail net (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
  - Re: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
    - Re: Metasploit - CVE-2012-1823 - Snort Sleeping lists () packetmail net (Apr 26)
    - Re: Metasploit - CVE-2012-1823 - Snort Sleeping Alex McDonnell (Apr 26)
    - Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
    - [SPAM] Re: Metasploit - CVE-2012-1823 - Snort Sleeping rmkml (Apr 26)
- <Possible follow-ups>
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
  - Message not available
    - FW: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 29)