Linux Firewalls - Michael Rash [166]
--string "/bin/chmod" --algo bm -m comment --comment "msg: WEB-ATTACKS chmod command
attempt; classtype: web-application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-
options --log
-tcp-options --log-prefix "[2] SID1336 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/bin/chmod"
--algo bm -m comment --comment "msg: WEB-ATTACKS chmod command attempt; classtype:
web-
application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-options --log-tcp-options
--log
-prefix "[2] SID1336 ESTAB "
### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown
command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-
application-attack; sid:1338; rev:6;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -d 192.168.10.0/24 -p tcp --dport 80 -m string
--string "/chown" --algo bm -m comment --comment "msg: WEB-ATTACKS chown command
attempt;
classtype: web-application-attack; rev:6; FWS:0.9.0;" -j LOG --log-ip-options
--log-tcp-
options -log-prefix "[3] SID1338 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/chown" --algo
bm -m comment --comment "msg: WEB-ATTACKS chown command attempt; classtype: web-
application-attack; rev: 6; FWS:0.9.0;" -j LOG --log-ip-options --log-tcp-options
--log-prefix
"[3] SID1338 ESTAB "
### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh
command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase;
classtype:
web-application-attack; sid:1339; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -d 192.168.10.0/24 -p tcp --dport 80 -m string
--string "/usr/bin/chsh" --algo bm -m comment --comment "msg: WEB-ATTACKS chsh command
attempt; classtype: web-application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-
options
--log-tcp-options --log-prefix "[4] SID1339 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/chsh"
--algo bm -m comment --comment "msg: WEB-ATTACKS chsh command attempt; classtype: web-
application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-options --log-tcp-options
--log-prefix "[4] SID1339 ESTAB "
### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/
bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase;
classtype:web-application-attack; si
d:1341; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -d 192.168.10.0/24 -p tcp --dport 80 -m string
--string "/usr/bin/gcc" --algo bm -m comment --comment "msg: WEB-ATTACKS /usr/bin/gcc
command attempt; classtype: web-application-attack; rev: 5; FWS:0.9.0;" -j LOG
--log-ip
-options --log-tcp-options --log-prefix "[5] SID1341 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/gcc"
--algo bm -m comment --comment "msg: WEB-ATTACKS /usr/bin/gcc command attempt;
classtype: web-application-attack; rev:5; FWS:0.9.0;" -j LOG --log-ip-options
--log-tcp-options
--log-prefix "[5] SID1341 ESTAB "
### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc
command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:
web
-application-attack; sid:1342; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -d 192.168.10.0/24 -p tcp --dport 80 -m string
--string "gcc%20-o" --algo bm -m comment --comment "msg: WEB-ATTACKS gcc command
attempt;
classtype: web-application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-options
--log-tcp-options --log-prefix "[6] SID1342 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "gcc%20-o"
--algo bm -m comment --comment "msg: WEB-ATTACKS gcc command attempt; classtype: web-
application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-options --log-tcp-options
--log-prefix
"[6] SID1342 ESTAB "
### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat
command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-
application-attack; sid:1360; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB