/etc/snort/rules/web-php.rules is in snort-rules-default 2.9.7.0-5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 | # Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules"). The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved. All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights). In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: web-php.rules,v 1.21.2.2.2.2 2005/07/22 19:19:54 mwatchinski Exp $
#--------------
# WEB-PHP RULES
#--------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:13;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:"<script"; nocase; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/path=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; reference:bugtraq,1997; reference:bugtraq,9361; classtype:web-application-attack; sid:1491; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;)
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9865; reference:bugtraq,9866; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TUTOS path disclosure attempt"; flow:to_server,established; uricontent:"/note_overview.php"; content:"id="; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV base directory manipulation"; flow:to_server,established; uricontent:"_conf.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; classtype:web-application-attack; sid:2926; rev:1;)
|