[Dshield] Interesting Web Log Entries

Scott Melnick smelnick at water.com
Fri Mar 24 17:37:58 GMT 2006


> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Isaac Perez
> Sent: Thursday, March 23, 2006 4:44 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Interesting Web Log Entries
> 
> Any of you use snort as ids?
> I'm using it but it doesn't alert of many of this attacks.
> And the sequence of the log here is very similar to the one appear in
my
> logs.
> Anyone knows the tool that generates that traffic?
> maybe we can do a snort rule for that tool.
> 
> 
> > The scans occurred from two IPs in tandem.  Note the initial request
for
> > /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist, which suggests an attempt
to
> > make sure the server responds with 404 error codes.

Try this,

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:" XML-RPC
PHP Code Execution Search"; flow:to_server,established; uricontent:"
/x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist "; nocase;
classtype:web-application-activity; sid:300100; rev:1;)


Scott Melnick



More information about the list mailing list