File: web-coldfusion.rules

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (43 lines) | stat: -rw-r--r-- 9,166 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: web-coldfusion.rules,v 1.27.2.1 2004/10/13 20:25:58 bmc Exp $
#---------------------
# WEB-COLDFUSION RULES
#---------------------
#

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:7;)