Bug #211: Fail to alert on sid 2002660 - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #211

closed

Fail to alert on sid 2002660

Added by Josh Smith almost 14 years ago. Updated almost 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

OISF Dev

Target version:

1.0.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Suricata fails to alert on sid 2002660 with the attached pcap. Snort is able to pick it up.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER RSA Web Auth Exploit Attempt - Long URL"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; uricontent:"?Redirect?"; nocase; pcre:"/url=.{8000}/i"; reference:url,secunia.com/advisories/17281; reference:url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2002660; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_RSA; reference:url,doc.emergingthreats.net/2002660; sid:2002660; rev:8;)

Files

2002660.pcap (8.45 KB) 2002660.pcap

Josh Smith, 07/15/2010 06:08 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #211

Fail to alert on sid 2002660

Updated by Victor Julien almost 14 years ago

Updated by Will Metcalf almost 14 years ago