Snort mailing list archives
Re: Directory Traversal
From: Jim Kipp <jkipp5 () home com>
Date: Mon, 01 Oct 2001 19:05:46 -0400
I think you are right here. Definitely some kind of IIS rule. But here is the packet: (one of many) -- [**] WEB-MISC http directory traversal [**] 09/30-06:45:05.371371 0:50:73:1:6C:A8 -> 0:60:8:38:86:FA type:0x800 len:0x96 24.83.x.x:3542 -> 192.168.x.x:80 TCP TTL:114 TOS:0x0 ID:32972 IpLen:20 DgmLen:136 DF ***AP*** Seq: 0xF6922490 Ack: 0x7E168448 Win: 0x4470 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 5c../winnt/syste 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d 69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 ir r HTTP/1.0..H 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A ction: close.. Erek Adams wrote:
On Sun, 30 Sep 2001, Jim Kipp wrote:Yes, I kow where the rule is, but I still don't know what it is exactly for. It does look IIS related, because in the payload there are GET ../cmd.exe blah blahIf the rule you're refering to is: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http directory traversal"; flags: A+; content: "..\\";reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:1;) Then it translates into: Someone used URL with "..\\" in it. If it's got cmd.exe tacked onto it, I'd say it is something like CR or Nimda. Could you post the packet payload? Sanitized of course! :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Directory Traversal Erek Adams (Sep 30)
- Re: Directory Traversal Brian (Sep 30)
- Re: Directory Traversal Jim Kipp (Oct 01)
- Re: Directory Traversal Jim Kipp (Oct 01)
- Re: Directory Traversal Brian (Sep 30)