Snort mailing list archives
Re: Directory Traversal
From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 30 Sep 2001 18:24:41 -0700 (PDT)
On Sun, 30 Sep 2001, Jim Kipp wrote:
Yes, I kow where the rule is, but I still don't know what it is exactly for. It does look IIS related, because in the payload there are GET ../cmd.exe blah blah
If the rule you're refering to is: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http directory traversal"; flags: A+; content: "..\\";reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:1;) Then it translates into: Someone used URL with "..\\" in it. If it's got cmd.exe tacked onto it, I'd say it is something like CR or Nimda. Could you post the packet payload? Sanitized of course! :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Directory Traversal Erek Adams (Sep 30)
- Re: Directory Traversal Brian (Sep 30)
- Re: Directory Traversal Jim Kipp (Oct 01)
- Re: Directory Traversal Jim Kipp (Oct 01)
- Re: Directory Traversal Brian (Sep 30)