Project

General

Profile

Actions

Bug #210

closed

Fail to alert on sid 2002900

Added by Josh Smith over 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata fails to alert on sid 2002900 with the attached pcap. Snort is able to detect it.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CGI AWstats Migrate Command Attempt"; flow:established,to_server; uricontent:"/awstats.pl?"; nocase; uricontent:"/migrate"; pcre:"/migrate\s*=\s*\|/Ui"; reference:bugtraq,17844; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002900; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Awstats; sid:2002900; rev:5;)


Files

2002900.pcap (654 Bytes) 2002900.pcap Josh Smith, 07/15/2010 05:08 PM
0001-Adding-unittest-for-normalized-uricontent-matching.patch (3.75 KB) 0001-Adding-unittest-for-normalized-uricontent-matching.patch Unittest that checks normalized uricontent matching Pablo Rincon, 09/02/2010 12:27 PM
Actions

Also available in: Atom PDF