Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Directory Traversal

From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 30 Sep 2001 18:24:41 -0700 (PDT)
On Sun, 30 Sep 2001, Jim Kipp wrote:


Yes, I kow where the rule is, but I still don't know what it is exactly
for. It does look IIS related, because in the payload there are GET
../cmd.exe blah blah


If the rule you're refering to is:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http directory
traversal"; flags: A+; content: "..\\";reference:arachnids,298;
classtype:attempted-recon; sid:1112; rev:1;)


Then it translates into:  Someone used URL with "..\\" in it.  If it's got
cmd.exe tacked onto it, I'd say it is something like CR or Nimda.

Could you post the packet payload?  Sanitized of course! :)


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: