Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Updated Twiki Snort Sig - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated Twiki Snort Sig

This is an update to a snort sig that we posted earlier for the recently announced TWiki vulnerability that allows for remote code execution:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\
"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; \
uricontent:"/TWikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui"; \
classtype:web-application-activity; reference:url,\
advisories/16820/; sid:2002366; rev:3;)

Note: This is a single line that has been broken to allow for better formatting in the diary.  The "\" characters at the end of the lines above show where the line breaks have been added.  Many thanks to Joe Esler, Chas Tomlin, Jason Brvenik, and Frank Knobbe and all the folks from Bleeding Edge (you guys rock!).


160 Posts
Sep 19th 2005

Sign Up for Free or Log In to start participating in the conversation!