/etc/snort/rules/community-web-cgi.rules is in snort-rules-default 2.9.2.2-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | # Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# These rules are licensed under the GNU General Public License.
# Please see the file LICENSE in this directory for more details.
# $Id: community-web-cgi.rules,v 1.20 2006/09/19 13:46:50 akirk Exp $
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Readfile.tcl Access"; flow:to_server,established; uricontent:"/readfile.tcl?file="; nocase; classtype:web-application-attack; reference:bugtraq,7426; sid:100000112; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi"; flow:to_server,established; uricontent:"/member_html.cgi?"; pcre:"/member_html.cgi\x3F[^\r\n]*\s*file\x3D(\x3B|\x7C)/Ui"; classtype:web-application-attack; reference:bugtraq,7530; reference:cve,2003-0243; sid:100000113; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi"; flow:to_server,established; uricontent:"/normal_html.cgi?"; pcre:"/normal_html.cgi\x3F[^\r\n]*\s*file\x3D(\x3B|\x7C)/Ui"; classtype:web-application-attack; reference:bugtraq,7530; reference:cve,2003-0243; sid:100000114; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID"; flow:to_server,established; uricontent:"modules.php?"; nocase; uricontent:"op=modload"; nocase; uricontent:"name=Web_Links"; nocase; uricontent:"file=index"; nocase; uricontent:"l_op=viewlink"; nocase; uricontent:!"cid="; classtype:web-application-attack; reference:bugtraq,7589; sid:100000115; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID"; flow:to_server,established; uricontent:"modules.php?"; nocase; uricontent:"op=modload"; nocase; uricontent:"name=Web_Links"; nocase; uricontent:"file=index"; nocase; uricontent:"l_op=viewlink"; nocase; uricontent:"cid="; pcre:"/cid=[^0-9]+/Ui"; classtype:web-application-attack; reference:bugtraq,7589; sid:100000116; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/forumdisplay.php?"; nocase; uricontent:"comma="; nocase; pcre:"/forumdisplay.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui"; classtype:web-application-attack; reference:bugtraq,12542; sid:100000117; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php"; flow:to_server,established; uricontent:"/formmail.inc.php"; nocase; uricontent:"script_root"; nocase; pcre:"/formmail.inc.php\x3F[^\r\n]*script_root\x3D\s*http/Ui"; reference:bugtraq,12735; classtype:web-application-attack; sid:100000127; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php"; flow:to_server,established; uricontent:"/download_center_lite.inc.php"; nocase; uricontent:"script_root"; nocase; pcre:"/download_center_lite.inc.php\x3F[^\r\n]*script_root\x3D\s*http/Ui"; reference:bugtraq,12735; classtype:web-application-attack; sid:100000128; rev:1;)
#Rule submitted by Chas Tomlin
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Twiki shell command execution"; flow:to_server,established; uricontent:"/TwikiUsers?"; nocase; pcre:"/rev=\d*\s*\x7C/Ui"; classtype:web-application-activity; reference:bugtraq,14834; reference:cve,2005-2877; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev; sid:100000156; rev:2;)
#Rule submitted by David Maciejak
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt"; flow: to_server,established; uricontent:"/password_reminder.php?"; nocase; pcre:"/form_email=[^\r\n\x26]+UNION\s+SELECT/Ui"; reference:bugtraq,14831; classtype:web-application-attack; sid:100000157; rev:1;)
#Rules submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"method=post"; nocase; pcre:"/(name|email|url)=[^\r\n]*\x3Cscript\x3E/smi"; reference:bugtraq,20045; classtype:web-application-activity; sid:100000878; rev:2;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"method=preview"; nocase; content:"content="; nocase; distance:0; reference:bugtraq,20045; classtype:web-application-activity; sid:100000879; rev:2;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; uricontent:"/sitesearch.do"; nocase; uricontent:"q="; nocase; uricontent:"<script>"; nocase; reference:bugtraq,20045; classtype:web-application-activity; sid:100000880; rev:2;)
|