[Snort-sigs] what attack response is sid 496 for?

Chris Green cmg at ...26...
Mon Jan 14 08:53:03 EST 2002


alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any \
      (msg:"ATTACK RESPONSES directory listing"; \
       content:"Directory Listing of"; nocase; flags:A+; \
       classtype:unknown; sid:496; rev:2;)

I just confirmed that W2K/XP/NT4 uses "Directory of ${dir}" for dir
so I'm a bit stumped as to what this one is for?  Autogenerated
indexes?

alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any \
       (msg:"ATTACK RESPONSES http dir listing"; \
        content: "Volume Serial Number"; \
        flags: A+; classtype:bad-unknown; \
         sid:1292; rev:1;)

is a much less common string to find in succesful attacks for the
cmd.exe?/c+dir response 
-- 
Chris Green <cmg at ...26...>
"I'm beginning to think that my router may be confused."




More information about the Snort-sigs mailing list