File: 100000315.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (71 lines) | stat: -rw-r--r-- 2,079 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Rule:  

--
Sid:
100000315

--
Summary:
This event is generated when an HTTP client issues a PUT request to upload
a document into the web content area.

--
Impact:
The PUT method is a legitimate HTTP command that allows an authorized user
to upload a document into the web content tree. It is most often associated 
with the WebDAV content management protocol.  

Although there are some legitimate uses for the PUT method, it is also a
frequent source of web site defacement, as attackers can easily abuse 
misconfigured web servers that allow unrestricted PUT functionality from 
arbitrary users.

--
Detailed Information:
The rule searches for HTTP requests using the PUT method, and tracks 
these sessions.  The rule is intended to be used with SID 100000316 to 
track successful PUT requests, which may represent successful defacement
attacks, instead of all PUT requests.

Administrators who wish to track all PUT requests (successful or not) should 
remove the "flowbits:noalert;" section of this rule.

--
Affected Systems:
Any web server

--
Attack Scenarios:
An attacker can issue a PUT reuqest via a script, many different pieces of 
software, or through a manual connection to any web server port.

--
Ease of Attack:
Simple.  Numerous tools exist for creating PUT requests, including some geared
specifically towards web site defacement.  

--
False Positives:
Organizations that use WebDAV to manage their web content may experience
false positives, as the PUT method is a normal part of the WebDAV protocol.
Additionally, any other legitimate web applications which use the PUT method
will generate false positives.

--
False Negatives:
None

--
Corrective Action:
In cases of web site defacement, delete the newly-created file(s) and/or 
restore them from a reliable backup. In all cases, be sure to tune web server
configuration to allow PUT requests only where necessary for a legitimate web
application to function.

--
Contributors:
David J. Bianco, <david@vorant.com>

-- 
Additional References:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6