Snort mailing list archives
Re: rule question
From: Wayne T Work <wwork () cybergnostic com>
Date: Tue, 25 Sep 2001 13:57:15 -0400
Try this Not sure what the sid is but it will helpalert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:"WEB-MISC APC Network dot dot Bug"; urlcontent:"/\../\../\../\..\/\../WINNT/repair/"; flags: A+; classtype:attempted-admin; sid: ; rev:1;)
At 11:44 AM 9/25/2001 -0400, cdowns wrote:
I have created this rule for one of my IDS boxses but there is something wrong does anyone see what could be wrong with this ? im overlooking something simple im sure.alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:WEB-MISC APC Network dot dot Bug"; uricontent:"/\../\../\../\..\/\../WINNT/repair/"; flags:A+; classtype:attempted-admin;) thanks -D -- -------------------------------- Network Security Administrator Christopher M Downs Skillsoft Corporation <http://www.skillsoft.com>http://www.skillsoft.com "you can't point and click your way to super cracker status -" --------------------------------
Wayne T Work Manager of Information Systems Security Cybergnostic.net, Inc. (O) 203-331-4417 (C) 203-217-5004 <http://www.cybergnostic.com/>www.cybergnostic.<http://www.cybergnostic.com/>com
Current thread:
- rule question cdowns (Sep 25)
- Re: rule question Italo Antonio (Sep 25)
- Re: rule question Wayne T Work (Sep 25)