Snort mailing list archives
Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help
From: Dave Venman <dvenman () sourcefire com>
Date: Mon, 15 Oct 2012 07:59:33 +0100
Hi there. (cc'ed the Snort users list too). Well, the client only knows that is can ask for something like http://www.server.com/a/b/c - the exact location on disk is something is doesn't need to know - the server does. In the case of a Webroot traversal, what happens is the attacker sends a request like http://www.server.com/a/b/../../../ and if the webserver is misconfigured, my provide the attacker access to files which are outside the web document structure on disk. On 14 October 2012 17:24, Balasubramaniam Natarajan <bala150985 () gmail com>wrote:
On Sun, Oct 14, 2012 at 9:09 PM, Dave Venman <dvenman () sourcefire com>wrote:This is a preprocessor rule - the GID (119) gives it away. GID is "Generator ID". i.e. which subsystem in Snort (rules engine, preprocessor etc) generated the event. Clear text rules have a GID of 1, Shared Object (compiled/obfuscated) are GID:3. Other GIDs are documented in the Snort manual and the READMEs in the source tarball. The number after the colon is the SID (Signature ID, or specific rule ID), in this case 18. This particular rule is the HTTP Inspect preprocessor, and from the README.http_inspect I get: 18 Webroot directory traversal So something is trying to do "../.." past the webroot of the webserver.Hi Dave, I have a question if you don't mind. How does snort figure out that some one is going past the webroot, as I can change the webroot to what ever I want and that would be specified in webserver's conf file which snort will not have access to. For example the default apache webroot would be /var/www/ If I want to I could change it to point at /var/www/OneMoreDirectory/virutalserver1/virtualserver1.html and if I host another apache virtualhost at this location /var/www/virtualserver2/server2.html won't snort get confused when people try to access http://<serverIP> and then http://<serverIP>/../../ ? -- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/
-- Dave Venman, CISSP Security Engineer Manager, Sourcefire EMEA Email: dave.venman () sourcefire com Mobile: +44 (7917) 168068 DDI: +44 (1344) 788412 Fax: +44 (1344) 788401
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- HI_CLIENT_WEBROOT_DIR 119:18 rule help Chuck DiRaimondi (Oct 14)
- Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help Dave Venman (Oct 14)
- Message not available
- Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help Dave Venman (Oct 15)
- Message not available
- Re: HI_CLIENT_WEBROOT_DIR 119:18 rule help Dave Venman (Oct 14)