Re: Where do these rules come from?

[Wesley Eddy <weddy () masaka cs ohiou edu>]

On Thu, Aug 16, 2001 at 03:09:37PM -0500, Steve Halligan wrote:
> This is just an example from web-cgi rules.  There are several more like
> this.  Is the something that has a /calendar that is a problem?  If so, why
> isn't it named in the rule.  I don't have a problem commenting it out,
> because I know that I have nothing with a /calendar url, but I just got to
> wondering why rules like this are there in the first place.  It can make it
> difficult to decide whether to remove a rule, with no reference as to what
> the exploit/scan is that the rule is designed for.


It's useful to keep, whether or not you have such a script that needs
protected.  If you don't have the script installed, then there's absolutely no
reason why anyone would be trying to access it unless they were seriously
confused or they were scanning you, in which case I assume you'd like
to be alerted!

The rules are there because there are kiddie tools which will scan a
webserver for hundreds of commonly found known exploitable cgi programs,
and if we didn't rules to detect them, then we'd never know we were being scanned.

-Wes

-- 
"I can't see too well, what's it all about?  I don't know man, did you poke
your eyes out?"         -Angry Samoans, "Lights Out"

Attachment: _bin
Description: