Snort mailing list archives
Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help
From: Dave Venman <dvenman () sourcefire com>
Date: Sun, 14 Oct 2012 16:39:46 +0100
This is a preprocessor rule - the GID (119) gives it away. GID is "Generator ID". i.e. which subsystem in Snort (rules engine, preprocessor etc) generated the event. Clear text rules have a GID of 1, Shared Object (compiled/obfuscated) are GID:3. Other GIDs are documented in the Snort manual and the READMEs in the source tarball. The number after the colon is the SID (Signature ID, or specific rule ID), in this case 18. This particular rule is the HTTP Inspect preprocessor, and from the README.http_inspect I get: 18 Webroot directory traversal So something is trying to do "../.." past the webroot of the webserver. On 14 October 2012 11:45, Chuck DiRaimondi <charlesd81 () gmail com> wrote:
I'm new to Snort and rules in general so I apologize in advance. I've been trying to understand this rule. When would this rule be fired? I don't see a content or similar type keyword in the rule that would look for specific data within the payload and then fire if it meets the criteria. Thanks! ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Dave Venman, CISSP Security Engineer Manager, Sourcefire EMEA Email: dave dot venman at sourcefire.com <dave.venman () sourcefire com>
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- HI_CLIENT_WEBROOT_DIR 119:18 rule help Chuck DiRaimondi (Oct 14)
- Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help Dave Venman (Oct 14)
- Message not available
- Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help Dave Venman (Oct 15)
- Message not available
- Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help Dave Venman (Oct 14)