Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] FP for 2001621 (PHP Injection Attack)

from [Chich Thierry] Network Security [Permanent Link]
Subject: [Snort-sigs] FP for 2001621 (PHP Injection Attack)
Date: Mon, 21 Nov 2005 10:47:08 +0100 
I have a lot of FP for this rule: 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE 
Exploit Suspected PHP Injection Attack"; flow: to_server,established; 
content:"GET"; nocase; content:".php|3f|"; nocase; within: 64; 
pcre:"/(name=http|cmd=.*(cd|\;|perl|curl|wget|id|uname|t?ftp))/i"; reference: 
cve,2002-0953; classtype: trojan-activity; sid: 2001621; rev:10; )


Such a packet is inducing an alert. The pattern found is cmd=.*id because of 
the uid, or beacuse of the \; between   "Windows" and "Windows NT.5.1"

        0x0020:  5018 4230 9065 0000 4745 5420 2f63 6c61  P.B0.e..GET./cla
        0x0030:  726f 7465 7374 2f63 6c61 726f 6c69 6e65  rotest/claroline
        0x0040:  2f61 7574 682f 636f 7572 7365 732e 7068  /auth/courses.ph
        0x0050:  703f 636d 643d 7271 5265 6726 6672 6f6d  p?cmd=rqReg&from
        0x0060:  4164 6d69 6e3d 636c 6173 7326 7569 6454  Admin=class&uidT
        0x0070:  6f45 6469 743d 2d31 2663 6174 6567 6f72  oEdit=-1&categor
        0x0080:  793d 2048 5454 502f 312e 310d 0a48 6f73  y=.HTTP/1.1..Hos
        0x0090:  743a 2077 xxxxxxxxxxxxxxxxxxxxxxxxxxx  t:.xxxxxxxxxxxxxxxx
        0x00a0:  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxx
        0x00b0:  xxxx 720d 0a55 7365 722d 4167 656e 743a  xxx..User-Agent:
        0x00c0:  204d 6f7a 696c 6c61 2f35 2e30 2028 5769  .Mozilla/5.0.(Wi
        0x00d0:  6e64 6f77 733b 2055 3b20 5769 6e64 6f77  ndows;.U;.Window
        0x00e0:  7320 4e54 2035 2e31 3b20 6672 2d46 523b  s.NT.5.1;.fr-FR;
        0x00f0:  2072 763a 312e 372e 3132 2920 4765 636b  .rv:1.7.12).Geck
        0x0100:  6f2f 3230 3035 3039 3139 2046 6972 6566  o/20050919.Firef
        0x0110:  6f78 2f31 2e30 2e37 0d0a 4163 6365 7074  ox/1.0.7..Accept
        0x0120:  3a20 7465 7874 2f78 6d6c 2c61 7070 6c69  :.text/xml,appli
        0x0130:  6361 7469 6f6e 2f78 6d6c 2c61 7070 6c69  cation/xml,appli
        0x0140:  6361 7469 6f6e 2f78 6874 6d6c 2b78 6d6c  cation/xhtml+xml
        0x0150:  2c74 6578 742f 6874 6d6c 3b71 3d30 2e39  ,text/html;q=0.9
        0x0160:  2c74 6578 742f 706c 6169 6e3b 713d 302e  ,text/plain;q=0.
        0x0170:  382c 696d 6167 652f 706e 672c 2a2f 2a3b  8,image/png,*/*;
        0x0180:  713d 302e 350d 0a41 6363 6570 742d 4c61  q=0.5..Accept-La
        0x0190:  6e67 7561 6765 3a20 6672 2c66 722d 6672  nguage:.fr,fr-fr
        0x01a0:  3b71 3d30 2e38 2c65 6e2d 7573 3b71 3d30  ;q=0.8,en-us;q=0
        0x01b0:  2e35 2c65 6e3b 713d 302e 330d 0a41 6363  .5,en;q=0.3..Acc
        0x01c0:  6570 742d 456e 636f 6469 6e67 3a20 677a  ept-Encoding:.gz
        0x01d0:  6970 2c64 6566 6c61 7465 0d0a 4163 6365  ip,deflate..Acce
        0x01e0:  7074 2d43 6861 7273 6574 3a20 4953 4f2d  pt-Charset:.ISO-
        0x01f0:  3838 3539 2d31 2c75 7466 2d38 3b71 3d30  8859-1,utf-8;q=0
        0x0200:  2e37 2c2a 3b71 3d30 2e37 0d0a 4b65 6570  .7,*;q=0.7..Keep
        0x0210:  2d41 6c69 7665 3a20 3330 300d 0a43 6f6e  -Alive:.300..Con
        0x0220:  6e65 6374 696f 6e3a 206b 6565 702d 616c  nection:.keep-al
        0x0230:  6976 650d 0a52 6566 6572 6572 3a20 6874  ive..Referer:.ht
        0x0240:  7470 3a2f 2f77 7777 2e6c 7963 xxxxxxxxxx tp://xxxxxxxxx
        0x0250:  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  xxxxxxxxxxx
        0x0260:  xxxxxxx 722f 636c 6172 6f74 6573 742f  xxxx/clarotest/
        0x0270:  636c 6172 6f6c 696e 652f 6164 6d69 6e2f  claroline/admin/
        0x0280:  6164 6d69 6e5f 636c 6173 735f 7573 6572  admin_class_user
        0x0290:  2e70 6870 3f63 6c61 7373 3d31 0d0a 436f  .php?class=1..Co
        0x02a0:  6f6b 6965 3a20 6a61 7661 7363 7269 7074  okie:.javascript
        0x02b0:  456e 6162 6c65 643d 7472 7565 3b20 6632  Enabled=true;.f2
        0x02c0:  3638 3435 3134 3732 3039 3531 3334 6263  68451472095134bc
        0x02d0:  3939 3831 3566 6630 6337 6532 6163 3d38  99815ff0c7e2ac=8
        0x02e0:  3933 6561 6538 6135 6437 3239 3937 3963  93eae8a5d729979c
        0x02f0:  6430 3134 3466 6364 6536 6637 3838 350d  d0144fcde6f7885.


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] FP for 2001621 (PHP Injection Attack), Chich Thierry <=
Previous by Date:  [Snort-sigs] FP 100000122 mod_jrun, Chich Thierry
Next by Date:  Re: [Snort-sigs] FP 100000122 mod_jrun, Chich Thierry
Previous by Thread:  [Snort-sigs] FP 100000122 mod_jrun, Chich Thierry
Next by Thread:  [Snort-sigs] FPs for NETBIOS DCERPC ISystemActivator path overflow attempt little endian,Sig ID,3197, Russell Fulton
Indexes:  [Date] [Thread] [Top] [All Lists]