1335.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
1335

--
Summary:
Attempted kill command access via web

--
Impact:
Attempt to stop or restart processes on a webserver.

--
Detailed Information:
This is an attempt to either stop or restart system processes on a
webserver. By stopping a service the attacker can effectively issue a
"Denial of Service" to a particular process on a machine. When used to
restart a process, the attacker can force a legitimate process to
re-read the associated configuration file and possibly compromise the
service by replacing the original configuration with one crafted by the attacker.

The signature looks for the "kill" command in the client to
web server network traffic and does not indicate whether the command
was actually successful in killing the process. The presence of the
"kill" command in web traffic indicates that an attacker attempted to
trick the web server into executing system in non-interactive mode
i.e. without a valid shell session.

Alternatively this rule may trigger in an unencrypted HTTP tunneling
connection to the server or a shell connection via another exploit
against the web server.

--
Attack Scenarios:
The attacker can make a standard HTTP request that contains '/bin/kill'
in the URI which can then return sensitive information on groups and
users present on the host.  This command may also be requested on a
command line should the attacker gain access to the machine.

--
Ease of Attack:
Simple HTTP request.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Webservers should not be allowed to view or execute files and binaries
outside of it's designated web root or cgi-bin. 

--
Contributors:
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Additional information from Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

man kill

--