Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Another uricontent question

From: "Lawrence Reed" <Lawrence.Reed () noaa gov>
Date: Thu, 27 Feb 2003 13:10:33 +0000
Do uricontent's get checked in sequentially like content options? In particular sid 1072 has two uricontent options. According to most of the advisories these two uricontents need to appear in the order they are defined ie "GET /.nsf/../somefile". However I am receiving alerts for URI like "GET /../prog.nsf/data/file". Is this expected behaviour?
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory traversal"; uricontent:".nsf/"; uricontent:"../"; nocase; flow:to_server,established; reference:cve,CVE-2001-0009; reference:bugtraq,2173; classtype:web-application-attack; sid:1072; rev:6;) 

URI in question:  "GET /../MEMWebsite.nsf/Files/tep/file/tep.pdf "

--
Larry Reed  Lawrence.Reed () noaa gov
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: