Re: uricontent misbehaving?

[Brian <bmc () snort org>]

According to dan.ellis () sophos com:
> Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
> Priority:8 Type:Attempted User Privilege Gain
> IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
> References: 1
>
> which apparently came from the rule:
>
> Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
>     (msg:"WEB-MISC readme.eml attempt"; \
>     flags:A+; uricontent:"readme.eml"; nocase; \
>     classtype:attempted-user; sid:1284; rev:3; \
>     reference:url,www.cert.org/advisories/CA-2001-26.html;)
>
> (xxx... is our web server.)
>
> I'm not very familiar with snort, but from what I've just read in the
> documentation the 'uricontent' bit is supposed to match only on
> the URI of requests. However, this was a response packet from our
> web server. Of course, several of our pages contain the text "readme.eml",
> but I don't see how this rule could have triggered unless it was
> mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
> been known to misbehave in this way?

Actually, that makes sense.  If they are not using http_decode, then
the URICONTENT never gets set for the session.  If you are not using
http_decode, then it will trigger on any packet on port 80 that
includes the string of readme.eml.

-brian


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users