[Dshield] Interesting Web Log Entries

Scott Melnick smelnick at water.com
Fri Mar 24 17:37:58 GMT 2006

> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Isaac Perez
> Sent: Thursday, March 23, 2006 4:44 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Interesting Web Log Entries
> Any of you use snort as ids?
> I'm using it but it doesn't alert of many of this attacks.
> And the sequence of the log here is very similar to the one appear in
> logs.
> Anyone knows the tool that generates that traffic?
> maybe we can do a snort rule for that tool.
> > The scans occurred from two IPs in tandem.  Note the initial request
> > /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist, which suggests an attempt
> > make sure the server responds with 404 error codes.

Try this,

PHP Code Execution Search"; flow:to_server,established; uricontent:"
/x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist "; nocase;
classtype:web-application-activity; sid:300100; rev:1;)

Scott Melnick

More information about the list mailing list