Snort mailing list archives
Re: CF Admin parser access sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 13 Dec 2013 11:14:56 -0700
On 2013-12-13 11:09, Nicholas Mavis wrote:
I'd probably remove the GET and add fast_pattern:only to the content match on this one. On Fri, Dec 13, 2013 at 1:02 PM, James Lay <jlay () slave-tothe-box net> wrote:Meh...slow Friday (the 13th) >:) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ColdFusion Admin parser access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"|2f|cfide|2f|administrator|5c|tools|5c|parser.cfm"; http_uri; nocase; reference:url,http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:web-application-attack; sid:10000114; rev:1;) James
Thanks Nick...that's a better way to go: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ColdFusion Admin parser access"; flow:established,to_server; content:"|2f|cfide|2f|administrator|5c|tools|5c|parser.cfm"; http_uri; fast_pattern:only; nocase; reference:url,http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:web-application-attack; sid:10000114; rev:2;) El Fixied :) James ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- CF Admin parser access sig James Lay (Dec 13)
- Re: CF Admin parser access sig Nicholas Mavis (Dec 13)
- Re: CF Admin parser access sig James Lay (Dec 13)
- Re: CF Admin parser access sig Nicholas Mavis (Dec 13)