Snort mailing list archives

Previous By Date Next
Previous By Thread Next

another content

From: Aditya () directnet com br
Date: Thu, 27 Feb 2003 11:21:14 -0300
Hi freinds
Are the content options sequantial to?
like the uricontent opton??
or no?

Aditya


Do uricontent's get checked in sequentially like content options?  In particular sid 1072 has two >uricontent options. 
According to most of the advisories these two uricontents need to appear in the >order they are defined ie "GET 
/.nsf/../somefile".  However I am receiving alerts for URI >like "GET /../prog.nsf/data/file".  Is this expected 
behaviour?




alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory >traversal"; 
uricontent:".nsf/"; uricontent:"../"; nocase; flow:t>o_server,established; >reference:cve,CVE-2001-0009; 
reference:bugtraq,2173; classtype:web-application-attack; sid:1072; >rev:6;)






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: