web-misc.rules

来自「关于网络渗透技术的详细讲解」· RULES 代码 · 共 335 行 · 第 1/5 页

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jigsaw dos attempt"; flow:established,to_server; uricontent:"/servlet/con"; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Macromedia SiteSpring cross site scripting attempt"; flow:established,to_server; uricontent:"/error/500error.jsp"; nocase; uricontent:"et="; uricontent:"<script"; nocase; reference:bugtraq,5249; classtype:web-application-attack; sid:1835; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mailman cross site scripting attempt"; flow:established,to_server; uricontent:"/mailman/"; nocase; uricontent:"?"; uricontent:"info="; uricontent:"<script"; nocase; reference:bugtraq,5298; classtype:web-application-attack; sid:1839; rev:2;)



# NOTES: this signature looks for access to common webalizer output directories.
# Webalizer is a http server log reporting program.  By allowing anyone on the
# internet to view the web access logs, attackers can gain information about
# your customers that probably should not be made public.  webalizer had cross
# site scripting bugs prior to version 2.01-09.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webalizer access"; flow:established,to_server; uricontent:"/webalizer/"; nocase; reference:nessus,10816; reference:cve,CAN-1999-0643; classtype:web-application-activity; sid:1847; rev:3;)


# NOTES: this signature looks for someone accessing the directory webcart-lite.
# webcart-lite allows users to access world readable plain text customer
# information databases.  To correct this issue, users should make the
# data directories and databases not world readable, move the files outside of
# WEBROOT if possile, and verify that a compromise of customer information has
# not occured.
# SIMILAR RULES: sid:1125
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart-lite access"; flow:to_server,established; uricontent:"/webcart-lite/"; nocase; reference:cve,CAN-1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:2;)


# NOTES: this signature looks for someone accessing the web application
# "webfind.exe".  This application has a buffer overflow in the keywords
# arguement.  An attacker can use this vulnerability to execute arbitrary
# code on the web server.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webfind.exe access"; flow:to_server,established; uricontent:"/webfind.exe"; nocase; reference:cve,CAN-2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:2;)


# NOTES: this signature looks for someone accessing the web application
# "way-board.cgi".  This application allows attackers to view arbitrary
# files that are readable with the privilages of the web server.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:2;)

# NOTES: this signature looks for someone accessing the file "active.log" via
# a web server.  By allowing anyone on the internet to view the web access
# logs, attackers can gain information about your customers that probably
# should not be made public.
#
# This logfile is made available from the WebActive webserver.  This webserver
# is no longer maintained and should be replaced with an activily maintained
# webserver.  If converting to another webserver is not possible, remove read
# access to this file.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC active.log access"; flow:to_server,established; uricontent:"/active.log"; nocase; reference:nessus,10470; reference:cve,CAN-2000-0642; classtype:web-application-activity; sid:1851; rev:2;)



# NOTES: this signature looks for someone accessing the file "robots.txt" via
# web server.  This file is used to make web spider agents (including search
# engines) more efficent.  robots.txt is often used to inform a web spider
# which directories that the spider should ignore because the content may be
# dynamic or restricted.  An attacker can use this information to gain insite
# into directories that may have been deemed sensitive.
#
# Verify that the robots.txt does not include any sensitive information.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:3;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; uricontent:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:2;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"WEB-MISC Sun JavaServer default password login attempt"; flow:to_server,established; uricontent:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:nessus,10995; classtype:default-login-attempt; sid:1859; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt \(\:admin\)"; flow:to_server,established; content:"Authorization\: Basic OmFkbWlu"; reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPERIMENTAL WEB-MISC Linksys router default password login a