Snort mailing list archives
Re: order of matching rules
From: Chris Green <cmg () snort org>
Date: Tue, 22 Oct 2002 21:38:09 -0400
archana rao <archuatdavis () yahoo com> writes:
When I use Snort to detect the attacks towards an IIS server which uses the URI: GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+" why does it raise the alert: "WEB--IIS cmd.exe access" with sid:1002 that looks for content:"cmd.exe" and not the alert: "WEB-IIS File permission canonicalization" with sid:981 that looks for uricontent:"/scripts/..%c0%af../"? Archana
%c0%af was probably written before we decoded that uri type. It's worth investigating further but the uris are normalized so detecting it as a raw decode is problematic. -- Chris Green <cmg () sourcefire com> Fame may be fleeting but obscurity is forever. ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- order of matching rules archana rao (Oct 16)
- Re: order of matching rules Chris Green (Oct 16)
- Re: order of matching rules archana rao (Oct 17)
- Re: order of matching rules Chris Green (Oct 22)
- Re: order of matching rules archana rao (Oct 17)
- Re: order of matching rules Matt Kettler (Oct 16)
- <Possible follow-ups>
- Re: order of matching rules Christopher Kruegel (Oct 22)
- Re: order of matching rules Christopher Kruegel (Oct 22)
- Re: order of matching rules Chris Green (Oct 22)
- Re: order of matching rules Chris Green (Oct 16)