[Snort-sigs] web-frontpage.rules; web-iis.rules ordering issue

Chris Green cmg at ...26...
Thu Jan 17 11:44:09 EST 2002


snort.conf has

include web-frontpage.rules
include web-iis.rules

last line of frontpage

(msg:"WEB-FRONTPAGE /_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; classtype:web-application-activity; sid:1288; rev:2;)

GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

will set that off ( rightly so ) but I tend to think of that more as
cmd.exe access.

Perhaps we should invert the rules ordering in snort.conf to

include web-iis.rules
include web-frontpage.rules


-- 
Chris Green <cmg at ...26...>
"I'm beginning to think that my router may be confused."




More information about the Snort-sigs mailing list