Snort mailing list archives

Spurious Alerts?

From: David Bianco <bianco () jlab org>
Date: Tue, 30 Apr 2002 15:38:52 -0400

Finney Charles E writes:

Running Snort 1.8.6 on FreeBSD 4.5, Alerts on:

alert tcp $EXTERNAL_NET any -> any 80 (msg:"WEB-ATTACKS /bin/ls command
attempt"; flags:A+; uricontent:"/bin/ls"; nocase; sid:1369; rev:1;
classtype:web-application-attack;)
The packet data as displayed in ACID is:
4B 4F 52 6A 4B 30 39 4B 0D 0A 0D                              KORjK09K...
Any clues as to why SNORT would alert on the aforementioned?


Unfortunately, since you didn't really include enough information for
me to help, I can only guess.  I'd need to see the full dump of the packet,
but I suppose there's a part in the data that looks like "/bin/ls", at 
least after passing it through the HTTP decoding preprocessor.  You'd need
to look at the rest of the packet for a better answer.

      David


-- 
David J. Bianco, GSEC           <bianco () jlab org>
Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
            not those of SURA/Jefferson Lab or the US DOE.

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: 
bandwidth@sourceforge.net_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Spurious Alerts? Finney Charles E (Apr 30)
- Spurious Alerts? David Bianco (Apr 30)
- <Possible follow-ups>
- RE: Spurious Alerts? Finney Charles E (Apr 30)