Snort mailing list archives

Re: order of matching rules

From: Chris Green <cmg () snort org>
Date: Tue, 22 Oct 2002 21:38:09 -0400

archana rao <archuatdavis () yahoo com> writes:

When I use Snort to detect the attacks towards an IIS
server which uses the URI:
GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+"
why does it raise the alert:
"WEB--IIS cmd.exe access" with sid:1002 that looks for
content:"cmd.exe"
and not the alert:
"WEB-IIS File permission canonicalization" with
sid:981 that looks for
uricontent:"/scripts/..%c0%af../"?
Archana


%c0%af was probably written before we decoded that uri type.  It's
worth investigating further but the uris are normalized so detecting
it as a raw decode is problematic.
-- 
Chris Green <cmg () sourcefire com>
Fame may be fleeting but obscurity is forever.


-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

order of matching rules archana rao (Oct 16)
- Re: order of matching rules Chris Green (Oct 16)
  - Re: order of matching rules archana rao (Oct 17)
    - Re: order of matching rules Chris Green (Oct 22)
- Re: order of matching rules Matt Kettler (Oct 16)
- <Possible follow-ups>
- Re: order of matching rules Christopher Kruegel (Oct 22)
- Re: order of matching rules Christopher Kruegel (Oct 22)
  - Re: order of matching rules Chris Green (Oct 22)