[Snort-users] web-php sid update (14)

Hi,
I have updated 14 community rule, maybe commit please ?
(< = old, > = new)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP news.php file include"; flow:to_server,established; 
uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP news.php file include"; flow:to_server,established; 
uricontent:"/news.php"; nocase; uricontent:"template="; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Invision Board ipchat.php file include"; 
flow:to_server,established; uricontent:"/ipchat.php"; nocase; 
content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; 
classtype:web-application-attack; sid:2359; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Invision Board ipchat.php file include"; 
flow:to_server,established; uricontent:"/ipchat.php"; nocase; 
uricontent:"root_path="; nocase; uricontent:"conf_global.php"; nocase; reference:bugtraq,6976; 
classtype:web-application-attack; sid:2359; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP myphpPagetool pt_config.inc file include"; 
flow:to_server,established; uricontent:"/doc/admin"; nocase; 
content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; 
classtype:web-application-attack; sid:2360; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP myphpPagetool pt_config.inc file include"; 
flow:to_server,established; uricontent:"/doc/admin"; nocase; 
uricontent:"ptinclude="; nocase; uricontent:"pt_config.inc"; nocase; reference:bugtraq,6744; 
classtype:web-application-attack; sid:2360; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Typo3 translations.php file include"; 
flow:to_server,established; uricontent:"/translations.php"; nocase; 
content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; 
rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Typo3 translations.php file include"; 
flow:to_server,established; uricontent:"/translations.php"; nocase; 
uricontent:"ONLY="; nocase; reference:bugtraq,6984; classtype:web-application-attack; 
sid:2358; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP WebChat english.php file include"; 
flow:to_server,established; uricontent:"/defines.php"; nocase; 
content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; 
classtype:web-application-attack; sid:2357; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP WebChat english.php file include"; 
flow:to_server,established; uricontent:"/defines.php"; nocase; 
uricontent:"WEBCHATPATH="; nocase; uricontent:"english.php"; nocase; reference:bugtraq,7000; 
classtype:web-application-attack; sid:2357; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP WebChat db_mysql.php file include"; 
flow:to_server,established; uricontent:"/defines.php"; nocase; 
content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; 
classtype:web-application-attack; sid:2356; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP WebChat db_mysql.php file include"; 
flow:to_server,established; uricontent:"/defines.php"; nocase; 
uricontent:"WEBCHATPATH="; nocase; uricontent:"db_mysql.php"; nocase; reference:bugtraq,7000; 
classtype:web-application-attack; sid:2356; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Invision Board emailer.php file include"; 
flow:to_server,established; uricontent:"/ad_member.php"; nocase; 
content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; 
sid:2355; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP Invision Board emailer.php file include"; 
flow:to_server,established; uricontent:"/ad_member.php"; nocase; 
uricontent:"emailer.php"; nocase; reference:bugtraq,7204; 
classtype:web-application-activity; sid:2355; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP IdeaBox notification.php file include"; 
flow:to_server,established; uricontent:"/index.php"; nocase; 
content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; 
classtype:web-application-activity; sid:2354; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP IdeaBox notification.php file include"; 
flow:to_server,established; uricontent:"/index.php"; nocase; 
uricontent:"gorumDir="; nocase; uricontent:"notification.php"; nocase; reference:bugtraq,7488; 
classtype:web-application-activity; sid:2354; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; 
uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; con
tent:"cord.php"; nocase; reference:bugtraq,7488; 
classtype:web-application-activity; sid:2353; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; 
uricontent:"/index.php"; nocase; uricontent:"ideaDir="; nocase;
 uricontent:"cord.php"; nocase; reference:bugtraq,7488; 
classtype:web-application-activity; sid:2353; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP DCP-Portal remote file include attempt"; 
flow:to_server,established; uricontent:"/library/editor/editor.php"; 
nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; 
sid:2341; rev:1;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP DCP-Portal remote file include attempt"; 
flow:to_server,established; uricontent:"/library/editor/editor.php"; 
nocase; uricontent:"root="; reference:bugtraq,6525; classtype:web-application-attack; 
sid:2341; rev:2;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP DCP-Portal remote file include attempt"; 
flow:to_server,established; uricontent:"/library/lib.php"; nocase; 
content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; 
rev:1;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP DCP-Portal remote file include attempt"; 
flow:to_server,established; uricontent:"/library/lib.php"; nocase; 
uricontent:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; 
rev:2;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP MatrikzGB privilege escalation attempt"; 
flow:to_server,established; content:"new_rights=admin"; nocase; 
reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP MatrikzGB privilege escalation attempt"; 
flow:to_server,established; uricontent:"new_rights=admin"; nocase; 
reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:3;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP PayPal Storefront remote file include attempt"; 
flow:to_server,established; content:"do=ext"; content:"page="; 
pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; 
classtype:web-application-attack; sid:2307; rev:6;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP PayPal Storefront remote file include attempt"; 
flow:to_server,established; uricontent:"do=ext"; uricontent:"page="; 
pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; 
classtype:web-application-attack; sid:2307; rev:7;)

<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP gallery remote file include attempt"; 
flow:to_server,established; uricontent:"/setup/"; 
content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; 
reference:nessus,11876; classtype:web-application-attack; sid:2306; 
rev:4;)
> web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP gallery remote file include attempt"; 
flow:to_server,established; uricontent:"/setup/"; 
uricontent:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; 
reference:nessus,11876; classtype:web-application-attack; sid:2306; 
rev:5;)

Improve/comments are welcome.

This update is offered by Crusoe Researches (Team)
http://www.crusoe-researches.com

Regards
Rmkml


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users