Snort mailing list archives

Re: rule question

From: Wayne T Work <wwork () cybergnostic com>
Date: Tue, 25 Sep 2001 13:57:15 -0400

Try this   Not sure what the sid is but it will help

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:"WEB-MISC APCNetwork dot dot Bug"; urlcontent:"/\../\../\../\..\/\../WINNT/repair/";flags: A+; classtype:attempted-admin; sid: ; rev:1;)


At 11:44 AM 9/25/2001 -0400, cdowns wrote:

I have created this rule for one of my IDS boxses but there is somethingwrong does anyone see what could be wrong with this ? im overlookingsomething simple im sure.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:WEB-MISC APCNetwork dot dot Bug"; uricontent:"/\../\../\../\..\/\../WINNT/repair/";flags:A+; class
type:attempted-admin;)

thanks
-D
--
--------------------------------
 Network Security Administrator
     Christopher M Downs
    Skillsoft Corporation
  <http://www.skillsoft.com>http://www.skillsoft.com
"you can't point and click your
 way to super cracker status -"
--------------------------------


Wayne T Work
Manager of Information Systems Security
Cybergnostic.net, Inc.
(O) 203-331-4417
(C) 203-217-5004
<http://www.cybergnostic.com/>www.cybergnostic.<http://www.cybergnostic.com/>com

Current thread:

rule question cdowns (Sep 25)
- Re: rule question Italo Antonio (Sep 25)
- Re: rule question Wayne T Work (Sep 25)