1356.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
1350

--
Summary:
Attempted perl access via web

--
Impact:
Attempt to execute a perl script on a host.

--
Detailed Information:
This is an attempt to execute a perl script on a host. Perl is a scripting language that is available on a wide variety of platforms. By default perl code runs with full access to all libraries and inbuilt commands available to the language. When combined with the access permissions of the user executing the script, the consequences of running arbitrary code can be devastating

--
Attack Scenarios:
The attacker can make a standard HTTP transaction that includes a reference to perl in the URI.

--
Ease of Attack:
Simple HTTP.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:

Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. perl may also be requested on a command line should the attacker gain access to the machine. Whenever possible, all perl scripts on the host should be written using the restriceted access mode. This forces perl to execute the scripts in a "sandbox" which will disallow unsafe operations in the code.
--
Contributors:
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:
sid: 1349

--