494.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule: 

--
Sid: 494

-- 
Summary:
This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell.

-- 

Impact:
Serious. An attacker may have the ability to execute commands remotely

--
Detailed Information:
This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com). 

Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker.

--

Attack Scenarios:
An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands.

-- 

Ease of Attack:
Simple. This post-attack behavior can accompany different attacks.

-- 

False Positives:
This rule will generate an event if the string "Command completed" appears in the content distributed by the web server, in which case the rule should be tuned.

--
False Negatives:
None Known

-- 
Corrective Action:
Investigate the web server for signs of compromise.

Look for other IDS events involving the same IP addresses.

--
Original rule writer unknown
Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

Microsoft Technet:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp

--