[Emerging-Sigs] Duplicate + Inaccurate MSG - SID 2019310

Nathan nathan at packetmail.net
Fri Nov 29 07:14:04 HST 2019


It appears the nomenclature below in the "msg" field is duplicated in SID
2019309.  This signature indicates "WGET" however this is actually a Perl
command and is not associated with "WGET".

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WGET Command
Specifying Output in HTTP Headers"; flow:established,to_server;
content:"lwp-download "; fast_pattern; http_header;
pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/Hm";
reference:url,blogs.akamai.com/2014/09/environment-bashing.html;
classtype:attempted-admin; sid:2019310; rev:3; metadata:created_at 2014_09_29,
updated_at 2019_10_07;)

Cheers,
Nathan




More information about the Emerging-sigs mailing list