[Snort-sigs] SIDs 981-983 changes

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jan 13 07:31:09 EST 2003


I second the motion.

-----Original Message-----
From: Jon [mailto:warchild at ...288...] 
Sent: Saturday, January 11, 2003 4:35 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] SIDs 981-983 changes


Greetings,

I just noticed that SIDs 981, 982, and 983 are almost identical.  They
are
meant to detect three variants of the same exploit yet they have
identical
msg fields.  Ideally we could combine this into a single rule using some
sort of OR on the content field, but I don't know of any such option.  I
vote for changing the msg fields to be a bit more specific for lack of
the
OR feature:
 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
unicode directory traversal attempt (%c0%af)";
flow:to_server,established;
content:"/..%c0%af../"; nocase; classtype:web-application-attack;
reference:cve,CVE-2000-0884; sid:981; rev:7;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
unicode directory traversal attempt (%c1%1c)";
flow:to_server,established;
content:"/..%c1%1c../"; nocase; classtype:web-application-attack;
reference:cve,CVE-2000-0884; sid:982; rev:7;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
unicode directory traversal attempt (%c1%9c)";
flow:to_server,established;
content:"/..%c1%9c../"; nocase; classtype:web-application-attack;
reference:cve,CVE-2000-0884; sid:983; rev:7;)

Thoughts?

-jon


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list