Snort mailing list archives
Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt
From: Willst Mail <willstmail () gmail com>
Date: Wed, 24 Feb 2010 14:06:01 -0500
Hello, The VRT signatures released 2010-02-23 contain an updated version of SID 3192 "WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt." It looks like the rule became more generic than previous revisions: whereas earlier revisions had a pcre, this one just looks for "Content-Disposition " followed at some point by "filename=" We previously saw almost no alerts generated by this rule, but we have been seeing about 1200 per hour since the updated rule was released. All of the alerts look to be responses from web servers to our internal clients, with an external sensor reporting the destination IP as our outbound gateway. Is anyone else seeing this sort of behavior? From the handful of packets I have looked at so far, these appear to be mostly false positives. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt Willst Mail (Feb 24)