Rule: -- Sid: 495 -- Summary: This event is generated by an unsuccessful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell. -- Impact: Serious. An attacker may have the ability to execute commands remotely -- Detailed Information: This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "Bad command or filename". For example, it is generated by the Windows operating system if the executable file to be run from the command line is not found. Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has tried to execute a command. Note that the source address of this event is actually the victim and not that of the attacker. -- Attack Scenarios: An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then tries to run other commands on the machine. -- Ease of Attack: Simple. This post-attack behavior can accompany different attacks. -- False Positives: This rule will generate an event if the string "Bad command or filename" appears in the content distributed by a web server, in which case the rule should be tuned. -- False Negatives: None Known -- Corrective Action: Investigate the web server for signs of compromise. Look for other IDS events involving the same IP addresses. -- Original rule writer unknown Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org> Sourcefire Research Team Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --
