Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 040379.html (Request Expert snort.org Support)

[Snort-sigs] SID 1359

From: Anton Chuvakin <anton(at)chuvakin.org>
Date: Thu Apr 17 2003 - 18:17:22 EDT


# This is a template for submitting snort signature descriptions to

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping";nocase; sid:1359;
classtype:web-application-attack; rev:4;) 

--
Sid: 1359

-- 
Summary: A web command execution attack involving the use of a
"ping" command

-- 
Impact: attacker might have gained an ability to execute system commands
remotely on the system

-- 
Detailed Information: This signature triggers when a "ping"
command is used over a plain-text (unencrypted) connection on one of
the specified web ports to the target web server. The "ping"
command may be used to perform information gathering activities. The
signature looks for the "ping" command in the client to web
server network traffic and does not indicate whether the command was
actually successful. The presence of the "ping" command in the
URL indicates that an attacker attempted to trick the web server into
executing system in non-interactive mode i.e. without a valid shell
session. Another case when this signature might trigger is unencrypted
HTTP tunneling connection to the server or a shell connection through
an exploit of the web server.

-- 
Attack Scenarios: An attacker uses a "ping" command to
perform anonymous reconnaissance

--
Ease of Attack: very easy, no exploit software required

-- 
False Positives: none known

--
False Negatives: none known

-- 
Corrective Action: check the web server software for vulnerabilities
and possible upgrade the system to the latest version, also
investigate the server for signs of compromise

--
Contributors: Anton Chuvakin <
http://www.chuvakin.org>

-- 
Additional References:



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Received on Thu Apr 17 18:53:52 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:26 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library