2134.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:


--
Summary:
This event is generated when an attempt is made to access the file register.asp directly.

--
Impact:
Possible administrator access and arbitrary command execution.

--
Detailed Information:
Snitz Forums is an Active Server Page (asp) application running on Microsoft Internet Information Server. A vulnerability exists in Snitz Forums that can allow an attacker to inject SQL code of his choice into the application. The file register.asp contains a flaw that can allow an attacker to gain administrator access to the site. 

The attacker may be trying to gain administrator access to the host, garner information on users of the system, retrieve sensitive information or be attempting to execute arbitrary code.

--
Affected Systems:
Any host using IIS with Snitz Forums.

--
Attack Scenarios:
An attacker may inject SQL code of his choice. The attacker might then gain administrator access to the host or database.

--
Ease of Attack:
Simple.

--
False Positives:
If a site not running Snitz Forums uses a file named register.asp this rule will generate an event.

--
False Negatives:
None Known.

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.

Ensure that the IIS implementation is fully patched.

Ensure that the underlying operating system is fully patched.

Employ strategies to harden the IIS implementation and operating system.

Check the host for signs of compromise.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:


--