Commentary:
To Whom It May Concern:
I've got a packet that generated an http_inspect alert and a WEB-MISC
http directory traversal. After looking at the packet contents, I feel
that this packet should have also generated an alert of rule 1:1002.
However, the packet failed to generate the alert.
I'm not sure if this connection was established or not, so I'm not
really sure if this is constitutes a false negative. At any rate, I
thought I would pass it along. The packet details are below.
Thanks,
Matt
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#
Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe";
nocase; classtype:web-application-attack; sid:1002; rev:7;)
--
Sid:
1:1002
--
False Negatives:
src port 3996
dest port 80
flags ACK,PSH
options none
Payload:
length = 59
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E 255c%255c../winn
020 : 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e
030 : 78 65 3F 2F 63 2B 64 69 72 0D 0A xe?/c+dir..
--
Corrective Action:
Unknown
--
Contributors:
The original author.
-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
