New Web Sigs

David Maciejak has been busy this morning. Four new sigs out. Thanks David.


        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE EXPLOIT GuppY error.php POST Arbitrary Remote Code
Execution"; flow: to_server,established; content:"POST"; depth:4;
nocase; uricontent:"/error.php?"; nocase; uricontent:"err="; nocase;
pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609;
classtype:web-application-attack; sid:2003332; rev:1;)


        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Generic membreManager.php remote file
include"; flow:established,to_server;
uricontent:"/membres/membreManager.php"; nocase;
pcre:"/include_path=\s*(ftp|https?)\:\//Ui"; reference:bugtraq,22287;
classtype:web-application-attack; sid:2003331; rev:1;)

        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP Gnopaster Common.php remote file include";
flow:established,to_server; uricontent:"/includes/common.php"; nocase;
pcre:"/root_path=\s*(ftp|https?)\:\//Ui"; reference:bugtraq,18180;
classtype:web-application-attack; sid:2003333; rev:1;)

        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB Cacti cmd.php Remote Arbitrary SQL Command
Execution Attempt"; flow:to_server,established; uricontent:"/cmd.php?";
nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; ref
erence:cve,CVE-2006-6799; reference:bugtraq,21799; classtype:
web-application-attack; sid:2003334; rev:1;)

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc