Re: WEB-MISC http directory traversal - False positive?

[JJ Cummings <cummingsj () gmail com>]

or remove the sensitive material itself from the packet.....

a variety of tools are available for this purpose -> 
http://www.tm.uka.de/pktanon/ is one such tool

J

Joel Esler wrote:
> If you aren't comfortable with emailing the packet to the list, file a 
> formal false positive report with the VRT at sourcefire dot com, 
> include the full packet dump, and they will take a look.
>
> J
>
> On Aug 14, 2008, at 9:46 AM, Jesper Skou Jensen wrote:
>
> > Yea I realize that, but there is somewhat sensitive material in the dump
> > that I didn't want to send to this list.
> >
> > But the most interesting part of the rule is content:"..|5C|"
> >
> > Wouldn't it mean that for this rule to fire this specific string would
> > have to be in the packet?
> >
> > As stated below that is not the case here, and that is quite weird imo.
> >
> > --
> >
> > Jesper S. Jensen
> > Uni-C - Århus, Danmark
> >
> >
> > Joel Esler wrote:
> > > It's rather hard to troubleshoot why a rule is firing, if the packet
> > > isn't available.
> > >
> > > Joel
> > >
> > > On Aug 14, 2008, at 5:24 AM, Jesper Skou Jensen wrote:
> > >
> > > > Hi guys,
> > > >
> > > > Our Snort regularly report "WEB-MISC http directory traversal" and I
> > > > believe that it's a false positive. I hope some of you guys can help me
> > > > out in analysing this.
> > > >
> > > > Here is the rule that's getting triggered:
> > > >
> > > > rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
> > > > $HTTP_PORTS (msg:"WEB-MISC http directory traversal";
> > > > flow:to_server,established; content:"..|5C|"; reference:arachnids,298;
> > > > classtype:attempted-recon; sid:1112; rev:6;)
> > > >
> > > > As far as I can see in the captured packet "..|5C|" or "..\" "5C" or
> > > > even "\" is nowhere to be found in the actual packet-dump. There is a
> > > > bunch of ".." but they appear to be legit parts of the http header. I
> > > > would have expected to find either one in the dump, and I'm trying to
> > > > find out why this rule is getting triggered.
> > > >
> > > >
> > > > We are logging via Barnyard and here is the header from the log. The
> > > > actual packet payload has been stripped out for security reasons.
> > > >
> > > > [**] [1:1112:6] WEB-MISC http directory traversal [**]
> > > > [Classification: Attempted Information Leak] [Priority: 2]
> > > > [Xref => http://www.whitehats.com/info/IDS298]
> > > > Event ID: 1027122     Event Reference: 1027122
> > > > 08/14/08-08:08:42.106881 [REMOVED]:30111 -> [REMOVED]:80
> > > > TCP TTL:53 TOS:0x0 ID:16356 IpLen:20 DgmLen:863
> > > > ***AP*** Seq: 0x11BD2580  Ack: 0xEACE3C2  Win: 0xFFFF  TcpLen: 32
> > > > TCP Options (3) => NOP NOP TS: 47859088 297178
> > > >
> > > >
> > > > Any ideas why this is getting triggered?
> > > >
> > > >
> > > > -- 
> > > >
> > > > Jesper S. Jensen
> > > > Uni-C - Århus, Danmark
> >
> > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's 
> > challenge
> > Build the coolest Linux based applications with Moblin SDK & win 
> > great prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the 
> > world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/ 
> > <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Joel Esler
>   http://blog.joelesler.net
>   http://www.dearcupertino.com
> [m]
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users