[Snort-sigs] some corrections to rules incorrectly refering to a reference resource not located in etc/reference.config

From: Sean Wheeler <s.wheeler(at)netprotect.ch>
Date: Sun Mar 28 2004 - 10:19:07 EST

hi,

Below are some corrections to rules incorrectly refering to a reference resource not located in etc/reference.config

---

Following Refer to bugtaq and NOT bugtraq

---

alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:2; content:"|00 01|"; offset:8; depth:2; dsize:>156; reference:bugtaq,5807; reference:cve,CAN-2002-1214; classtype:attempted-admin; sid:2126; rev:2;) correction:
alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:2; content:"|00 01|"; offset:8; depth:2; dsize:>156; reference:bugtraq,5807; reference:cve,CAN-2002-1214; classtype:attempted-admin; sid:2126; rev:2;)

---

Following Refer to bid and NOT bugtraq ( etc/reference.config has no reference to bid)

---

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bid,8430; classtype:web-application-activity; sid:2331; rev:1;) correction:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:1;)

---

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bid,9369; classtype:web-application-activity; sid:2345; rev:1;) correction:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; classtype:web-application-activity; sid:2345; rev:1;)

---

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bid,6544; classtype:web-application-activity; sid:2346; rev:1;) correction:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:1;)

---

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bid,6544; classtype:web-application-activity; sid:2347; rev:1;) correction:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:1;)

regards

Sean

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Mar 29 04:03:15 2004