You want nocase for the post match because it is not required by http for the method to be all capital letters.Ĭontent:"/admin_lua_script.html" fast_pattern http_uri Īdding the fast_pattern option will make the rule more efficient as it will put it into the fast pattern matcher in snort. The only way the request would be successful would be if the connection was already established between client and server, if it's not the exploit won't succeed and it's pointless to alert on this. This will be more efficient as snort won't have to check random traffic for unestablished sessions and it won't have to check traffic going to the client, since you know the direction for this exploit will always be going to the server. You only want to check established sessions where the flow is going to the server. If you do not have this port in your preprocessor config for http, all of your http content modifiers will NOT match because snort will not treat traffic on this port as http, which is likely the main issue you're having. (obviously don't put the dots, just representing other ports you should have in there). Preprocessor http_inspect_server: server default profile all ports Specifically, your nf should have a configuration line similar to the following: Important: Since this exploit module runs over port 5466 and is http you NEED to make sure that this port is in your http preprocessor configuration for ports. When you have rules that are "any/any" for source/destination snort treats them differently than rules with ports defined. You should always specify a port when possible. (msg:"FTP command execution" flow:to_server,established /Ĭontent:"/admin_lua_script.html" fast_pattern http_uri /Ĭontent:"command=os.execute" http_client_body nocase / I would recommend something like the following: alert tcp any any -> any 5466 /
0 Comments
Leave a Reply. |