[Snort-users] web-php sid update (14)
rmkml
I have updated 14 community rule, maybe commit please ?
(< = old, > = new)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP news.php file include"; flow:to_server,established;
uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP news.php file include"; flow:to_server,established;
uricontent:"/news.php"; nocase; uricontent:"template="; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP Invision Board ipchat.php file include";
flow:to_server,established; uricontent:"/ipchat.php"; nocase;
content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976;
classtype:web-application-attack; sid:2359; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP Invision Board ipchat.php file include";
flow:to_server,established; uricontent:"/ipchat.php"; nocase;
uricontent:"root_path="; nocase; uricontent:"conf_global.php"; nocase; reference:bugtraq,6976;
classtype:web-application-attack; sid:2359; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP myphpPagetool pt_config.inc file include";
flow:to_server,established; uricontent:"/doc/admin"; nocase;
content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744;
classtype:web-application-attack; sid:2360; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP myphpPagetool pt_config.inc file include";
flow:to_server,established; uricontent:"/doc/admin"; nocase;
uricontent:"ptinclude="; nocase; uricontent:"pt_config.inc"; nocase; reference:bugtraq,6744;
classtype:web-application-attack; sid:2360; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP Typo3 translations.php file include";
flow:to_server,established; uricontent:"/translations.php"; nocase;
content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358;
rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP Typo3 translations.php file include";
flow:to_server,established; uricontent:"/translations.php"; nocase;
uricontent:"ONLY="; nocase; reference:bugtraq,6984; classtype:web-application-attack;
sid:2358; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP WebChat english.php file include";
flow:to_server,established; uricontent:"/defines.php"; nocase;
content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000;
classtype:web-application-attack; sid:2357; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP WebChat english.php file include";
flow:to_server,established; uricontent:"/defines.php"; nocase;
uricontent:"WEBCHATPATH="; nocase; uricontent:"english.php"; nocase; reference:bugtraq,7000;
classtype:web-application-attack; sid:2357; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP WebChat db_mysql.php file include";
flow:to_server,established; uricontent:"/defines.php"; nocase;
content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000;
classtype:web-application-attack; sid:2356; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP WebChat db_mysql.php file include";
flow:to_server,established; uricontent:"/defines.php"; nocase;
uricontent:"WEBCHATPATH="; nocase; uricontent:"db_mysql.php"; nocase; reference:bugtraq,7000;
classtype:web-application-attack; sid:2356; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP Invision Board emailer.php file include";
flow:to_server,established; uricontent:"/ad_member.php"; nocase;
content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity;
sid:2355; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP Invision Board emailer.php file include";
flow:to_server,established; uricontent:"/ad_member.php"; nocase;
uricontent:"emailer.php"; nocase; reference:bugtraq,7204;
classtype:web-application-activity; sid:2355; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP IdeaBox notification.php file include";
flow:to_server,established; uricontent:"/index.php"; nocase;
content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488;
classtype:web-application-activity; sid:2354; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP IdeaBox notification.php file include";
flow:to_server,established; uricontent:"/index.php"; nocase;
uricontent:"gorumDir="; nocase; uricontent:"notification.php"; nocase; reference:bugtraq,7488;
classtype:web-application-activity; sid:2354; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established;
uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; con
tent:"cord.php"; nocase; reference:bugtraq,7488;
classtype:web-application-activity; sid:2353; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established;
uricontent:"/index.php"; nocase; uricontent:"ideaDir="; nocase;
uricontent:"cord.php"; nocase; reference:bugtraq,7488;
classtype:web-application-activity; sid:2353; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP DCP-Portal remote file include attempt";
flow:to_server,established; uricontent:"/library/editor/editor.php";
nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack;
sid:2341; rev:1;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP DCP-Portal remote file include attempt";
flow:to_server,established; uricontent:"/library/editor/editor.php";
nocase; uricontent:"root="; reference:bugtraq,6525; classtype:web-application-attack;
sid:2341; rev:2;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP DCP-Portal remote file include attempt";
flow:to_server,established; uricontent:"/library/lib.php"; nocase;
content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342;
rev:1;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP DCP-Portal remote file include attempt";
flow:to_server,established; uricontent:"/library/lib.php"; nocase;
uricontent:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342;
rev:2;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP MatrikzGB privilege escalation attempt";
flow:to_server,established; content:"new_rights=admin"; nocase;
reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP MatrikzGB privilege escalation attempt";
flow:to_server,established; uricontent:"new_rights=admin"; nocase;
reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:3;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP PayPal Storefront remote file include attempt";
flow:to_server,established; content:"do=ext"; content:"page=";
pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873;
classtype:web-application-attack; sid:2307; rev:6;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP PayPal Storefront remote file include attempt";
flow:to_server,established; uricontent:"do=ext"; uricontent:"page=";
pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873;
classtype:web-application-attack; sid:2307; rev:7;)
<web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP gallery remote file include attempt";
flow:to_server,established; uricontent:"/setup/";
content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814;
reference:nessus,11876; classtype:web-application-attack; sid:2306;
rev:4;)
>web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-PHP gallery remote file include attempt";
flow:to_server,established; uricontent:"/setup/";
uricontent:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814;
reference:nessus,11876; classtype:web-application-attack; sid:2306;
rev:5;)
Improve/comments are welcome.
This update is offered by Crusoe Researches (Team)
http://www.crusoe-researches.com
Regards
Rmkml
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users