Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help

[Dave Venman <dvenman () sourcefire com>]

Hi there.

  (cc'ed the Snort users list too).

  Well, the client only knows that is can ask for something like
http://www.server.com/a/b/c - the exact location on disk is something is
doesn't need to know - the server does.

  In the case of a Webroot traversal, what happens is the attacker sends a
request like

    http://www.server.com/a/b/../../../

  and if the webserver is misconfigured, my provide the attacker access to
files which are outside the web document structure on disk.

On 14 October 2012 17:24, Balasubramaniam Natarajan <bala150985 () gmail com>wrote:

> On Sun, Oct 14, 2012 at 9:09 PM, Dave Venman <dvenman () sourcefire com>wrote:
>
> > This is a preprocessor rule - the GID (119) gives it away.  GID is
> > "Generator ID". i.e. which subsystem in Snort (rules engine, preprocessor
> > etc) generated the event.
> >
> > Clear text rules have a GID of 1, Shared Object (compiled/obfuscated) are
> > GID:3.  Other GIDs are documented in the Snort manual and the READMEs in
> > the source tarball.  The number after the colon is the SID (Signature ID,
> > or specific rule ID), in this case 18.
> >
> > This particular rule is the HTTP Inspect preprocessor, and from the
> > README.http_inspect I get:
> >
> >   18    Webroot directory traversal
> >
> > So something is trying to do "../.." past the webroot of the webserver.
> Hi Dave,
>
> I have a question if you don't mind.
>
> How does snort figure out that some one is going past the webroot, as I
> can change the webroot to what ever I want and that would be specified in
> webserver's conf file which snort will not have access to.
>
> For example the default apache webroot would be /var/www/  If I want to I
> could change it to point at
> /var/www/OneMoreDirectory/virutalserver1/virtualserver1.html and if I host
> another apache virtualhost at this location
> /var/www/virtualserver2/server2.html  won't snort get confused when people
> try to access http://<serverIP> and then http://<serverIP>/../../ ?
>
>
> --
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/


-- 
Dave Venman, CISSP
Security Engineer Manager, Sourcefire EMEA
Email:   dave.venman () sourcefire com
Mobile: +44 (7917) 168068
DDI:     +44 (1344) 788412
Fax:     +44 (1344) 788401

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!