Snort mailing list archives
Odd alert on /bin/chmod rule
From: GJ Philput <gjphilput () yahoo com>
Date: Mon, 23 Feb 2004 11:18:34 -0800 (PST)
Hello, I am hoping that someone can shed some light on an unusual capture that I got from the WEB-ATTACKS chmod command attempt rule in Snort 2.1. According to the rule, this rule should only alert if it finds /bin/chmod/ in the packet. I have gotten several alerts on this rule that are just SYN packets and don't contain a payload, let alone /bin/chmod/. Does anyone know why this might be happening? I have included the rule, and the Alert below. Sensitive information has been changed to protect the guilty. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod";nocase; sid:1336; classtype:web-application-attack; rev:4;) Generated by ACID x.x.x on Mon, 23 Feb 2004 13:23:13 -0500------------------------------------------------------------------------------#(4 - 19383) [2004-02-22 04:12:17] [snort/1336] WEB-ATTACKS chmod command attemptIPv4: xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx hlen=5 TOS=0 dlen=48 ID=19428 flags=0 offset=0 TTL=113 chksum=44886TCP: port=2434 -> dport: 1080 flags=******S* seq=3183296326 ack=0 off=7 res=0 win=64240 urp=0 chksum=28387 Options: #1 - MSS len=2 data=05B4 #2 - NOP len=0 #3 - NOP len=0 #4 - SACKOK len=0 Payload: none James __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Odd alert on /bin/chmod rule GJ Philput (Feb 23)