snort-rules-default 2.9.7.0-5build1 / etc / snort / rules / web-attacks.rules

This file is indexed.

/etc/snort/rules/web-attacks.rules is in snort-rules-default 2.9.7.0-5build1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: web-attacks.rules,v 1.18.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $
# ----------------
# WEB ATTACKS
# ----------------
# These signatures are generic signatures that will catch common commands
# used to exploit form variable vulnerabilities.  These signatures should
# not false very often.
#
# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net
# if you find one of these signatures to be too false possitive.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; reference:bugtraq,10361; sid:1330; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;)

APT Browse - Built by Thomas Orozco.