Re: Ask about HTTP Parser with Directory Traversal String

["Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>]

Hello Seong,

Please take a look at:

HTTP Evasions Revisited<https://www.snort.org/documents/http-evasions-revisited>




--
Joel Esler
Strategy, Cisco Talos Intelligence Group

On Oct 12, 2021, at 03:55, Seong Gyu Choi via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists 
snort org>> wrote:

Hi, Snort Team

I have a question about the abbreviation of HTTP parser direction traversal string( "../" or "\..") .

URI : /cgi-bin/../../etc/passwd

After Pass HTTP Parser : /etc/passwd

When URI pass http parser, all the characters in front of Directory Traversal string(/../) fly away, so I wonder why 
you do this. Isn't it normal to stay like the below?

What i thought After Pass HTTP Parser : /cgi-bin/etc/passwd

If there's a reason why your team designed it like this, please let me know.

Regards,
CHOI
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!