Fwd: Re: [Snort-sigs] what attack response is sid 496 for?

Jim Forster jforster at ...11...
Mon Jan 14 09:05:04 EST 2002


Sorry -forgot to CC the list.....

--- Here is the original message ---
From: "Jim Forster" <jforster at ...11...>
To: Chris Green <cmg at ...26...>
Cc:
Sent: Mon, 14 Jan 2002 10:02:26 -0700
Subject: Re: [Snort-sigs] what attack response is sid 496 for?

>---==On Mon, 14 Jan 2002 10:52:13 -0600, Chris Green wrote==---
>>alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any \
>>  (msg:"ATTACK RESPONSES directory listing"; \
>>  content:"Directory Listing of"; nocase; flags:A+; \
>>  classtype:unknown; sid:496; rev:2;)
>>
>>I just confirmed that W2K/XP/NT4 uses "Directory of ${dir}" for dir
>>so I'm a bit stumped as to what this one is for?  Autogenerated
>>indexes?
>>
>>alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any \
>>  (msg:"ATTACK RESPONSES http dir listing"; \
>>  content: "Volume Serial Number"; \
>>  flags: A+; classtype:bad-unknown; \
>>   sid:1292; rev:1;)
>>
>>is a much less common string to find in succesful attacks for the
>>cmd.exe?/c+dir response
>
>Yep - that needs changed to "Directory of".
>"bytes free" might be a better content match for the second rule.
>Either one essentially does the same thing anyway... Catch boxes
>that
>are listing directories over 80.
>--------------------------------------------------------------------
>Sleep: A completely inadequate substitute for caffeine.
>
>Jim Forster, jforster at ...11... on 01/14/2002
>Network Administrator
>RapidNet, A Golden West Company
>
>






More information about the Snort-sigs mailing list