Snort mailing list archives
Another uricontent question
From: "Lawrence Reed" <Lawrence.Reed () noaa gov>
Date: Thu, 27 Feb 2003 13:10:33 +0000
Do uricontent's get checked in sequentially like content options? In particular sid 1072 has two uricontent options. According to most of the advisories these two uricontents need to appear in the order they are defined ie "GET /.nsf/../somefile". However I am receiving alerts for URI like "GET /../prog.nsf/data/file". Is this expected behaviour?
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory traversal"; uricontent:".nsf/"; uricontent:"../"; nocase; flow:to_server,established; reference:cve,CVE-2001-0009; reference:bugtraq,2173; classtype:web-application-attack; sid:1072; rev:6;)
URI in question: "GET /../MEMWebsite.nsf/Files/tep/file/tep.pdf " -- Larry Reed Lawrence.Reed () noaa gov NOAA IT Security Office PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Another uricontent question Lawrence Reed (Feb 27)
- Re: Another uricontent question Chris Green (Feb 27)