Snort mailing list archives
Re: uricontent misbehaving?
From: Brian <bmc () snort org>
Date: Fri, 2 Nov 2001 14:45:45 -0500
According to dan.ellis () sophos com:
Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt Priority:8 Type:Attempted User Privilege Gain IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689 References: 1 which apparently came from the rule: Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \ (msg:"WEB-MISC readme.eml attempt"; \ flags:A+; uricontent:"readme.eml"; nocase; \ classtype:attempted-user; sid:1284; rev:3; \ reference:url,www.cert.org/advisories/CA-2001-26.html;) (xxx... is our web server.) I'm not very familiar with snort, but from what I've just read in the documentation the 'uricontent' bit is supposed to match only on the URI of requests. However, this was a response packet from our web server. Of course, several of our pages contain the text "readme.eml", but I don't see how this rule could have triggered unless it was mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent' been known to misbehave in this way?
Actually, that makes sense. If they are not using http_decode, then the URICONTENT never gets set for the session. If you are not using http_decode, then it will trigger on any packet on port 80 that includes the string of readme.eml. -brian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent misbehaving? dan . ellis (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
- Re: uricontent misbehaving? Chuck Morford (Nov 02)
- Re: uricontent misbehaving? Martin Roesch (Nov 02)
- Re: uricontent misbehaving? Brian (Nov 06)
- <Possible follow-ups>
- Re: uricontent misbehaving? Daniel Carroll (Nov 02)