Snort mailing list archives

Previous By Date Next
Previous By Thread Next

APC dot dot bug (Network Shutdown)

From: cdowns <cdowns () lifeatzero com>
Date: Wed, 26 Sep 2001 22:49:24 -0400
Ok i got this rule to work just fine like this. I captured the payload
and verified the hex output which is:

payload first request:
0x0040   2e2f 5749 4e4e 542f 7265 7061 6972 2f20        ./WINNT/repair/.

payload second request:
0x0040   2e2f 5749 4e4e 542f 7265 7061 6972 2f20        ./WINNT/repair/.

I have not seen this rule in the rules0727 but this does not mean it is
not available.If it is please disregard this message.as i am not
currently on the sig list.

rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:"WEB-MISC APC
Network dot dot Bug"; flags: A+; content:"|2e2f 5749 4e4e 542f 7265 7061
6972 2f20|"; classtype:attempted-admin;)

output:
[**] [1:0:0] WEB-MISC APC Network dot dot Bug [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 10]
09/26-22:20:40.154508 10.0.4.25:1336 -> 64.28.89.35:3052
TCP TTL:128 TOS:0x0 ID:22391 IpLen:20 DgmLen:354 DF
***AP*** Seq: 0xCFC6F4C9  Ack: 0x7C55442F  Win: 0x4510  TcpLen: 20

Thanks for those who responded.
-D


---------------------------------
Network Security Administrator
    http://www.skillsoft.com
     cdowns () skillsoft com
 "You can't point and click your
  way to super cracker status"
---------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: