Snort mailing list archives
Fwd: Re: Cisco HTTP Admin IOS attack signature
From: Dragos Ruiu <dr () dursec com>
Date: Fri, 29 Jun 2001 20:23:09 -0700
And since I'm replying to my own mail and thinking outloud the trailing "/exec" check is wholly redundant and only slows snort down because if you've seen the level tag before somethings no good for sure , so remove that last check to get: alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; regex:"level/*1[6-9]"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:3;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; regex:"level/*[2-9][0-9]"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100001; rev:3;) cheers, --dr _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- <Possible follow-ups>
- Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- Fwd: Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)