Re: [Snort-sigs] new rule for detect phpSysInfo vulnerabilities (HTTP_ACCEPT_LANGUAGE)

On  0, rmkml <rmkml@free.fr> allegedly wrote:
> Hi,
>
> please check and add this new rule :
>
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access"; content:"GET"; 
> nocase; depth:3; uricontent:"|2E|php"; nocase;
> uricontent:"|5F|SERVER|5B|HTTP|5F|ACCEPT|5F|LANGUAGE|5D|"; nocase; 
> classtype:web-application-attack; )
>
> this rule detect phpSysInfo HTTP_ACCEPT_LANGUAGE access.
>
> Improve/comments are welcome.

The Bugtraq and CVE references would be useful.

reference:bugtraq,15414;
reference:cve,2005-3347;

etc..

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs