Snort mailing list archives
Re: http directory traversal
From: Brian <bmc () snort org>
Date: Fri, 16 Nov 2001 09:23:36 -0500
According to RAMALINGA Reddy:
Hi, I started using snort along with the rules that come with it. There is one rule in web-misc.rules that reports "WEB-MISC http directory traversal" if the content is either "..\\" or "../". I think this rule should be looking for the same in uricontent rather than in content. Is there any reason why it is looking in the content ? Please clarify.
Yes, there is a reason for looking in the entire packet. Did you read the mail archives? I answered this question quite some time ago. Form variables are the one of the most exploited "issue" for web applications. Directory traversal happens in form variabes quite often. Because of this, we want to look for the "../" inside of form variables, which can be sent to the web server via HTTP POST. HTTP POST does not include variables in the URI. Limiting the content search to the URI would miss a large number of attacks. -- If North America were a turkey club at a diner, canada'd be the plate. Big, white, and there, but out of the way, and you never really think about it. And the plate's not as important as it thinks. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http directory traversal RAMALINGA Reddy (Nov 16)
- Re: http directory traversal Brian (Nov 16)
- <Possible follow-ups>
- http directory traversal Render-Vue (Dec 16)