[Snort-sigs] SIDs 981-983 changes

Jon warchild at ...288...
Sat Jan 11 14:35:03 EST 2003


Greetings,

I just noticed that SIDs 981, 982, and 983 are almost identical.  They are
meant to detect three variants of the same exploit yet they have identical
msg fields.  Ideally we could combine this into a single rule using some
sort of OR on the content field, but I don't know of any such option.  I
vote for changing the msg fields to be a bit more specific for lack of the
OR feature:
 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
unicode directory traversal attempt (%c0%af)"; flow:to_server,established;
content:"/..%c0%af../"; nocase; classtype:web-application-attack;
reference:cve,CVE-2000-0884; sid:981; rev:7;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
unicode directory traversal attempt (%c1%1c)"; flow:to_server,established;
content:"/..%c1%1c../"; nocase; classtype:web-application-attack;
reference:cve,CVE-2000-0884; sid:982; rev:7;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
unicode directory traversal attempt (%c1%9c)"; flow:to_server,established;
content:"/..%c1%9c../"; nocase; classtype:web-application-attack;
reference:cve,CVE-2000-0884; sid:983; rev:7;)

Thoughts?

-jon




More information about the Snort-sigs mailing list