Snort mailing list archives

Previous By Date Next
Previous By Thread Next

CF Admin parser access sig

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 13 Dec 2013 11:02:27 -0700
Meh...slow Friday (the 13th) >:)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"SERVER-WEBAPP ColdFusion Admin parser access"; 
flow:established,to_server; content:"GET"; http_method; nocase; 
content:"|2f|cfide|2f|administrator|5c|tools|5c|parser.cfm"; http_uri; 
nocase; 
reference:url,http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html;
 
classtype:web-application-attack; sid:10000114; rev:1;)

James

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: