Re: Individual rule msg definitions

[Chris Green <cmg () uab edu>]

"Scott" <scottr () vdot net> writes:

> Yes I am aware of the bugtraq, IDS numbers and cert ones, but what about
> those that aren't referenced such as the ones I listed in the previous
> email. I did a google but all I found were incidents but no definitions as
> to what was the meaning.
>
> > > [110:2:1]  spp_unidecode: Unicode Directory Transversal
> > >
> > > I have no idea as to whether these alerts are serious or what
> >      they mean.

The alert is from spp_unidecode.  This attempts to act like the http
decode plugin but also decode multibyte unicode encodings into the
normal ascii style bytes.

if (((c==0x5c) || (c==0x2f) || (c==0x2e)) && do_detect)
{
      snprintf(logMessage, sizeof(logMessage), 
        MODNAME ": Unicode Directory Transversal attack detected");




For the hex slow people:

perl -e 'printf("%c %c %c\n", 0x5c, 0x2f, 0x2e);'

\ / .

So, if the encoded byte is one of those characters, log it as a
unicode directory transversal attack.  Eg: a unicode mapping such that
is might be interpreted as /../ 
-- 
Chris Green <cmg () uab edu>
To err is human, to moo bovine.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users