[Snort-sigs] Snort newbie having trouble with using rule for detecting WebDAV exploit

Matt Yackley Matt.Yackley at ...712...
Thu Apr 10 12:30:12 EDT 2003

The "flow:to_server" option is not supported in 1.8.x, if possible upgrade
to a newer version of snort.


-----Original Message-----
From: Jason Richardson [mailto:a00jer1 at ...1446...] 
Sent: Tuesday, April 08, 2003 11:41 PM
To: snort-sigs at lists.sourceforge.net

Hi all, I'm a Snort newbie running Snort 1.8.7 for Windows on a Windows XP
SP1 host.  When I try to add either of these rules:

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav
search access"; flow:to_server,established; content: "SEARCH "; depth:
8; nocase;reference:arachnids,474; classtype:web-application-activity;
sid:1070; rev:5;)

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS WEBDAV
exploit attempt"; flow:to_server,established;
content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|";
content:"Accept|3a| |2a|/|2a0a|Translate|3a|
f|0a|Content-length|3a|5276|0a0a|"; distance:1;
reference:cve,CAN-2003-0109; reference:bugtraq,7716;
classtype:attempted-admin; sid:2090; rev:2;)

Snort pukes with the following error: ERROR:
c:/snort/rules/web-iis.rules(103) => Unknown keyword "flow" in rule!

Any help is appreciated.



This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list