Snort mailing list archives
APC dot dot bug (Network Shutdown)
From: cdowns <cdowns () lifeatzero com>
Date: Wed, 26 Sep 2001 22:49:24 -0400
Ok i got this rule to work just fine like this. I captured the payload and verified the hex output which is: payload first request: 0x0040 2e2f 5749 4e4e 542f 7265 7061 6972 2f20 ./WINNT/repair/. payload second request: 0x0040 2e2f 5749 4e4e 542f 7265 7061 6972 2f20 ./WINNT/repair/. I have not seen this rule in the rules0727 but this does not mean it is not available.If it is please disregard this message.as i am not currently on the sig list. rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:"WEB-MISC APC Network dot dot Bug"; flags: A+; content:"|2e2f 5749 4e4e 542f 7265 7061 6972 2f20|"; classtype:attempted-admin;) output: [**] [1:0:0] WEB-MISC APC Network dot dot Bug [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 09/26-22:20:40.154508 10.0.4.25:1336 -> 64.28.89.35:3052 TCP TTL:128 TOS:0x0 ID:22391 IpLen:20 DgmLen:354 DF ***AP*** Seq: 0xCFC6F4C9 Ack: 0x7C55442F Win: 0x4510 TcpLen: 20 Thanks for those who responded. -D --------------------------------- Network Security Administrator http://www.skillsoft.com cdowns () skillsoft com "You can't point and click your way to super cracker status" --------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- APC dot dot bug (Network Shutdown) cdowns (Sep 26)