Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] false positive for WEB-ATTACKS rm command attempt

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] false positive for WEB-ATTACKS rm command attempt
Date: Fri, 26 May 2006 08:33:17 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DH,

Thanks for your submission, however, we no longer run that rule in
web-attacks.rules  that rule has been moved to deleted.rules.  I suggest
a rule update.

Joel

DH wrote:



 GEN:SID 1:1365  

 Message WEB-ATTACKS rm command attempt  

 Summary Attempted rm command access via web 

 Impact Attempt to delete files on a webserver.-- 

False Positives:
here are some examples of a false positive
 

 120 : 72 3D 73 6C 76 31 2D 63 63 6C 65 26 70 3D 75 6E   r=slv1-ccle&p=un
130 : 69 66 6F 72 6D 25 32 30 61 63 72 6F 73 73 25 32   iform%20across%2 

 030 : 74 69 6F 6E 3D 4C 4F 4E 47 25 32 30 54 45 52 4D   tion=LONG%20TERM
040 : 25 32 30 44 52 55 47 25 32 30 54 48 45 52 41 50   %20DRUG%20THERAP 

 030 : 74 69 6F 6E 3D 53 48 4F 52 54 25 32 30 41 52 4D   tion=SHORT%20ARM
040 : 25 32 30 53 50 4C 49 4E 54 20 48 54 54 50 2F 31   %20SPLINT HTTP/1 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdvWNKbCSyXHckt4RAjbzAJ9iHiLwKf92pyIi8gHF5o9hj7+npwCfVg0O
bkyouphyJgVFjGUAUP/3t8E=
=Y7Di
-----END PGP SIGNATURE-----


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] false positive for WEB-ATTACKS rm command attempt, DH
Next by Date:  Fwd: Fwd: [Snort-sigs] Rule for MSWord GinWin., Ureleet Ureleet
Previous by Thread:  [Snort-sigs] false positive for WEB-ATTACKS rm command attempt, DH
Next by Thread:  [Snort-sigs] Re: Snort-sigs digest, Vol 1 #1687 - 4 msgs, Ureleet Ureleet
Indexes:  [Date] [Thread] [Top] [All Lists]