[Snort-sigs] Snort newbie having trouble with using rule for detecting WebDAV exploit

Jason Richardson a00jer1 at ...1446...
Thu Apr 10 11:59:12 EDT 2003

Hi all, I'm a Snort newbie running Snort 1.8.7 for Windows on a Windows
XP SP1 host.  When I try to add either of these rules:

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav
search access"; flow:to_server,established; content: "SEARCH "; depth:
8; nocase;reference:arachnids,474; classtype:web-application-activity;
sid:1070; rev:5;)

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS WEBDAV
exploit attempt"; flow:to_server,established;
content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|";
content:"Accept|3a| |2a|/|2a0a|Translate|3a|
f|0a|Content-length|3a|5276|0a0a|"; distance:1;
reference:cve,CAN-2003-0109; reference:bugtraq,7716;
classtype:attempted-admin; sid:2090; rev:2;)

Snort pukes with the following error: ERROR:
c:/snort/rules/web-iis.rules(103) => Unknown keyword "flow" in rule!

Any help is appreciated.



More information about the Snort-sigs mailing list