Rule: -- Sid: 1363 -- Summary: This event is generated when execution of a common X Window system command is attempted via HTTP. -- Impact: The attacker may be able to initiate an X session on the web server. -- Detailed Information: This rule generates an event when an X Windows system command command is used with a parameter to set the display location over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "display" parameter is used to specify an address for the X server to listen for connections. The rule looks for the "display" parameter in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the parameter in the URL indicates that an attacker attempted to trick the web server into executing a system command in non-interactive mode i.e. without a valid shell session. This rule may also generate an event if it detects this command in an unencrypted HTTP tunneling connection to the server or a shell connection through an exploit of the web server. -- Attack Scenarios: An attacker launches an "xterm" as the web server user and points it to his machine via the 'display" parameter. -- Ease of Attack: Simple, no exploit software required -- False Positives: None Known -- False Negatives: None Known -- Corrective Action: Webservers should not be allowed to view or execute files and binaries outside of its designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Non-essential binaries should be removed from a webserver once it is in production. -- Contributors: Original rule writer unknown Snort documentation contributed by Anton Chuvakin Sourcefire Research Team Nigel Houghton -- Additional References: --